Giuliani Security homepage

Yesterday, President-elect Donald Trump announced the appointment of former New York Mayor Rudy Giuliani as his cyber security advisor concerning the US private sector.

The news made headlines, mostly because Rudy Giuliani is the last person who someone would think to be qualified to handle "the cyber," and because nobody seemed to know what Giuliani's security firm actually does.

The infosec community didn't take the news lightly, hoping to see someone with more expertise in that position. It also didn't took long for cyber-security experts around the world to find flaws in the website of Giuliani's security firm.

Giuliani's company using three-year-old Joomla version

According to Phonos Group founder Dan Tentler, Giuliani's security company website runs a very, very old Joomla distribution, an open-source, free-to-use CMS.

That's Joomla 3.1.1, released in April 2013. Since then, two major zero-days have plagued Joomla, so grave that they could allow attackers to take full control over a Joomla installation. Those are CVE-2016-9838 and CVE-2015-8562.

But that's not the worse of it. The Joomla admin panel login page is also freely available, meaning anyone could access it and attempt to brute-force the admin password.

Giuliani Security Joomla login panel
Giuliani Security Joomla login panel (via Michael Fienen)

Furthermore, this Joomla installation doesn't protect core configuration files, which can be easily accessed via a browser.

Running an end-of-life PHP version on a nine-year-old OS

Security researcher Michael Fienen also noticed that the underlying server, where the website is hosted, also uses PHP 5.4.45, now a deprecated version of PHP.

The server, which runs a nine-year-old FreeBSD 6 version, also allows for remote SSH connections, which usually should be allowed only to a limited set of IPs. In fact, lots of server services seem to be open to remote connections.

List of open ports for Giualiani Security server
List of open ports for Giualiani Security server (via Ryan Castellucci)

Additionally, the Giuliany Security website uses an expired SSL certificate and doesn't force HTTPS connections, rendering the "https://" in front of its URL utterly useless.

As you can imagine, an SSL test on any SSL testing services gives the site an F rating. For comparison, Bleeping Computer, a meager news portal and computer help forum (that's not advising the President on "the cyber") gets an A and A+ ratings in the same tests.

Following ridicule on Twitter and in world media, the website for Giuliani Security was taken down soon after the Trump announcement. Thank God for the Wayback Machine! and yes, that's a Flash slideshow running on the company's frontpage. PS: You can also still access the site via its raw IP address (h/t Stéphane Bortzmeyer).

Related Articles:

Canada accepted 7,300 more immigration applications due to technical bug

Hackers use fake ‘Windows Update’ guides to target Ukrainian govt