Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trump's Cyber Security Advisor Rudy Giuliani Runs Ancient, Utterly Hackable Website (theregister.co.uk)

Posted by BeauHD on from the irony-and-its-best dept.

mask.of.sanity writes from a report via The Register: U.S. president-elect Donald Trump's freshly minted cyber tsar Rudy Giuliani runs a website so insecure that its content management system is five years out of date, unpatched and is utterly hackable. Giulianisecurity.com, the website for Giuliani's eponymous infosec consultancy firm, runs Joomla! version 3.0, released in 2012, and since found to carry 15 separate vulnerabilities. More bugs and poor secure controls abound. The Register report adds: "Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server. This seemingly insecure system also has a surprising number of network ports open -- from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD. 'You can probably break into Giuliani's server,' said Robert Graham of Errata Security. 'I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses. 'But that doesn't matter. There's nothing on Giuliani's server worth hacking.'"

11 of 280 comments (clear)

  1. Not really a big deal. by Lisandro · · Score: 5, Insightful

    Robert Graham explained it succinctly: http://blog.erratasec.com/2017... .

    The real story here is that Giuliani is now a goddamn cybersecurity advisor, not that this personal site is crap. The guy was hired not because of competence but because he spent the entire campaign kissing Trump's ass.

    1. Re:Not really a big deal. by Anonymous Coward · · Score: 5, Insightful

      You might not get anything interesting from the server, but you could use it to infect other systems and visitors, who might be high profile targets given what it's hosting. The complete disregard for a server might be acceptable for a mom & pop shop, but not for someone who's going to advise the President of the United States of America on security issues.

    2. Re:Not really a big deal. by Dr.+Evil · · Score: 5, Insightful

      "All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."

      He outsourced to a 2-bit shop with no recognition of the reputational risk. That's a security fail.

    3. Re:Not really a big deal. by unrtst · · Score: 5, Insightful

      Agreed, and I'd take it several steps further...

      Sure, not all people leading these positions are experts at those fields. I'd argue they should be, but if they're competent enough at leading people that are experts, that'd probably do as well.

      I'd also concede that Giuliani almost certainly didn't set up this server himself, so he's not directly to blame for that.

      However, when those two are combined, it's an utter failure. He is not qualified to do the actual work, and when he has had others do the work (for an "infosec consultancy firm", no less), they utterly failed - thus his leadership of them is also an utter failure. To fill the cyber security advisor role, one should be able to either do the work directly, or be smart enough to interface with those that can do the work. As Trump would say, so sad!

    4. Re: Not really a big deal. by Anonymous Coward · · Score: 5, Informative

      Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:

      http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/

    5. Re: Not really a big deal. by ClickOnThis · · Score: 5, Insightful

      Stephen Chu was the Energy Secretary, and was followed by Ernest Moniz, a nuclear physicist from MIT. They understand nuclear physics, unlike Rick Perry who doesn't even remember the name of the department he was recently appointed to lead:

      http://abcnews.go.com/blogs/politics/2011/11/rick-perrys-debate-lapse-oops-cant-remember-department-of-energy/

      He had a brain-freeze. It can happen to any of us.

      But what's ironic here is not that he forgot the name of the department. It's that he intended to shut it down, and now he's going to lead it.

      --
      If it weren't for deadlines, nothing would be late.
  2. They need better cyber by DogDude · · Score: 5, Funny

    "So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."

    --
    I don't respond to AC's.
  3. Re:This should be the only comment by JoeMerchant · · Score: 5, Insightful

    Nothing to talk about, plenty to do... 15 known exploits: get to work.

  4. Competency by HogGeek · · Score: 5, Informative

    The DNS entry has been removed, but the server continues to run:

    http://209.238.99.227/index.ph...

  5. Par for the course by damn_registrars · · Score: 5, Insightful

    Considering how many Trump cabinet appointees are openly opposed to the missions - or even existence - of the departments he is aiming to appoint them to head, why would it be a surprise that a "cyber security advisor" is running an atrociously insecure site?

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  6. Re:Random aspersions by guises · · Score: 5, Informative
    Ugh. I hate those posts which go line-by-line quoting and responding and ultimately don't say anything. That's really what I want to do here, because everything you've written here is just... terrible. I'm only going to focus on one thing though:

    Obama appointed Caroline Kennedy as ambassador to Japan, who was completely outmastered in our recent Japanese treaty negotiations(*). (*) Resulting in a treaty which is beneficial to Japan, but a very bad deal for America.

    I assume you're talking about the TPP and, in particular, the point that this person is trying to make about the TPP being good for the Japanese auto industry and bad for the American auto industry? If not I don't know what you're talking about, but that's the talking point which was making the rounds.

    Let me quote the AC directly underneath that:

    The negative impact on the US auto industry really misses the point, protectionism is almost always to the detriment of the country as a whole. Under the deal the Japanese agricultural industry suffers, but all Japanese people get cheaper food. It's a net benefit to Japan, even though it has a negative impact on that specific industry. At the same time the US agricultural industry gains from this. Likewise: under the deal the US auto industry suffers, but all Americans get cheaper cars. Since almost all Americans drive, it's a net benefit to the US. And, at the same time, the Japanese auto industry gains from this. Exactly the same situation as above.

    Disclaimer: I was that AC. Just didn't log in.

    Of your points, this is one that I wanted to address because this sort of protectionism is something which really resonates with people who don't think too hard about it. It seems so simple: "Protect American jobs! The only cost is screwing some foreigners! Why haven't we been doing this all along? Our government must be corrupt or stupid or something." It's a topic which demagogues can latch onto, but the only people who protectionism really benefits are the people in control of the industry in question. Even to the peons in that industry the benefit from protectionism is questionable.

    It's like those people who claim that climate change doesn't exist because it still gets cold in winter: it kinda makes sense as long as you don't think to hard about it. And that's all it takes to convince some people.