Stunned security experts tear strips off president-elect pick hours after announcementUS president-elect Donald Trump’s freshly minted cyber-tsar Rudy Giuliani runs a website with a content management system years out of date and potentially utterly hackable.
Former New York City mayor and Donald loyalist Giuliani was today unveiled by Trump’s transition team as the future president’s cybersecurity adviser – meaning Giuliani will play a crucial role in the defense of America’s computer infrastructure.
Giulianisecurity.com, the website for the ex-mayor’s eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities.
Some of those bugs can be potentially exploited by miscreants using basic SQL injection techniques to compromise the server.
This seemingly insecure system also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007.
Security gurus are right now tearing strips off Trump’s cyber-wizard pick.
Top hacker Dan Tentler was first to point out the severely out-of-date Joomla! install.
“It speaks volumes,” Tentler told The Register, referring to Giuliani’s computer security credentials, or lack of, and fitness for the top post.
“Seventy-year-old luddite autocrats who often brag about not using technology are somehow put in charge of technology: it’s like setting our country on fire and giving every extranational hacker a roman candle – or, rather, not setting on fire, but dousing in gasoline.”
Content management system developer Michael Fienen also pulled no punches:
It gets worse. “Giuliani is running a version of PHP that was released in 2013, and a version of Joomla that was released around 2012,” said Ty Miller, a director at Sydney-based infosec biz Threat Intelligence.
“Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits.
Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani’s security needs to be taken up a level.”
Found on /r/sysadmin, presented without comment. pic.twitter.com/UmWe7tHURv
— Ryan Castellucci (@ryancdotorg) January 12, 2017
The most surprising fact in all of this is that the Giuliani Security website hasn’t ALREADY been hacked.
They might as well put out a sign.
— Michael Fienen (@fienen) January 12, 2017
Another computer security expert, speaking to The Register on condition of anonymity, analyzed Giuliani’s website for us. Our guru, based in Australia, said that while the pending cyber-tsar is likely to have outsourced management of his online base, the fact that the mayor-turned-cyber-expert didn’t check for lax security on his own website is not going to instill any confidence.
We have reproduced our contact’s assessment in full on the next page. ®
‘Someone should be taken to task for this’
Well, talking nuts and bolts: that website is hosted with a hosting provider.
It looks like it has its own IP address based on having a single DNS PTR object (reverse address to the name giulianisecurity.com) which means its unlikely to be in use by other organisations (except maybe his own… who knows.)
That IP address is allocated out of a block of addresses registered to Japanese giant NTT but these could also be provided to NTT’s customers such as web developers/hosting providers etc. Without actively poking at the site – which I’m terrified to do, frankly – it may be shared hosting, may be a VPS, or may be a physically separate dedicated hosting solution.
I’m betting it’s a cheap VPS-based ‘dedicated’ solution.
My experience with this kind of hosting means that a nice attack vector is identifying the hosting provider and trying to get allocated a similar hosting solution in the adjacent IP address space, getting root on it (or having it if it’s a VPS) and then using ‘layer 2’ fun and games to redirect the victim site’s traffic to the attacker.
This still works amazingly well and is why smart people try to do things like statically publish layer-2 addresses for layer 3 IP gateways (although this is only so effective, really).
For the giulianisecurity.com domain they seem to use Microsoft Office 365 for his email. Not a bad choice.
Email security sucks and, unless you know what you’re doing/are a glutton for punishment or are generally my kind of tinfoilhat wearer (hey, friends), it’s best to leave email security to someone reasonably credible.
I also note they use a large trademark monitor company – MarkMonitor.com – for the DNS service provider for the domain name giulianisecurity.com. Which is hilarious.
Because, yeah, you’d want to intrude trademark-wise on this guy’s name because it’s such a valuable brand. Like Trump’s, you know?
The reality is someone else makes these choices for him for his business.
It’s not like he’s there, updating his ancient and known vulnerable Joomla content management system himself (he’d get props from me if that were the case 🙂
Anyone truly trying to protect your brand would avoid putting a giant red flag like an unpatched CMS in a commodity hosting environment out there. Whether it’s Giuliani’s company’s responsibility or an outsourced provider’s (very likely) the ‘having ancient Joomla’ in place is a pretty bad look.
Someone should be taken to task a bit for this.
And if you’re a security and safety company with an understanding of information security threats you’d have threat management programs in place to identify and improve your controls.
For example, if you were undertaking actual security testing of your site I’d wager anyone in infosec – or in IT generally really – would’ve noticed the ancient CMS and its default install remnants using the crappiest, free-est tools out there.
So respectfully, Rudy, get someone to patch your shit and seek out some kind of specialist advice.
Snarky comments aside – it really comes down to this greater concern: there’s literally millions of people in infosec who would be better cyber security advisors than Giuliani or whomever his technical advisors are that he’d call on for advice.
So I’d ask – again respectfully – that the president elect cast a slightly wider net than he has to receive ‘cyber’ security advice.
As much as most people in infosec are a bunch of opinionated jerks (oh, and we are) we’re all here to help. Just ask a professional.
First sign in knowing one? It’s the person who doesn’t use the word ‘cyber’ to prefix everything they say.