
Yesterday, President-elect Donald Trump announced the appointment of former New York Mayor Rudy Giuliani as his cyber security advisor concerning the US private sector.
The news made headlines, mostly because Rudy Giuliani is the last person who someone would think to be qualified to handle "the cyber," and because nobody seemed to know what Giuliani's security firm actually does.
The infosec community didn't take the news lightly, hoping to see someone with more expertise in that position. It also didn't took long for cyber-security experts around the world to find flaws in the website of Giuliani's security firm.
Giuliani's company using three-year-old Joomla version
According to Phonos Group founder Dan Tentler, Giuliani's security company website runs a very, very old Joomla distribution, an open-source, free-to-use CMS.
That's Joomla 3.1.1, released in April 2013. Since then, two major zero-days have plagued Joomla, so grave that they could allow attackers to take full control over a Joomla installation. Those are CVE-2016-9838 and CVE-2015-8562.
But that's not the worse of it. The Joomla admin panel login page is also freely available, meaning anyone could access it and attempt to brute-force the admin password.

Furthermore, this Joomla installation doesn't protect core configuration files, which can be easily accessed via a browser.
Running an end-of-life PHP version on a nine-year-old OS
Security researcher Michael Fienen also noticed that the underlying server, where the website is hosted, also uses PHP 5.4.45, now a deprecated version of PHP.
The server, which runs a nine-year-old FreeBSD 6 version, also allows for remote SSH connections, which usually should be allowed only to a limited set of IPs. In fact, lots of server services seem to be open to remote connections.

Additionally, the Giuliany Security website uses an expired SSL certificate and doesn't force HTTPS connections, rendering the "https://" in front of its URL utterly useless.
As you can imagine, an SSL test on any SSL testing services gives the site an F rating. For comparison, Bleeping Computer, a meager news portal and computer help forum (that's not advising the President on "the cyber") gets an A and A+ ratings in the same tests.
The most surprising fact in all of this is that the Giuliani Security website hasn't ALREADY been hacked. They might as well put out a sign.
— Michael Fienen (@fienen) January 12, 2017
Just looked at his cyber security company website. It runs Joomla, unpatched since 2012. Worst security setup I've seen for a while. https://t.co/ged3uv4uGS
— Kevin Beaumont (@GossiTheDog) January 13, 2017
Following ridicule on Twitter and in world media, the website for Giuliani Security was taken down soon after the Trump announcement. Thank God for the Wayback Machine! and yes, that's a Flash slideshow running on the company's frontpage. PS: You can also still access the site via its raw IP address (h/t Stéphane Bortzmeyer).
Comments
buddy215 - 6 years ago
Obviously giving that job to Giuliani was nothing more than charity...a payback for lying for Trump throughout the Trump campaign. Ranks right up there with his nominating Betsy DeVos who is anti-education, anti-science, pro-Christian madrassas and wants to use your tax dollars to pay for the Christian madrassas. She has very limited education...maybe equivalent to high school. But she did give a ton of cash to Trump.
phreadphread - 6 years ago
Pretty funny that it currently isn't even online. http://giulianisecurity.com/
phreadphread - 6 years ago
I was so excited I failed to read the last paragraph. As you were...
KennysLab - 6 years ago
Don't get a hard on guys. It's probably just a honey pot. Don't get any ideas and don't hack it from your IP lol, unless you are inviting a court order.
Viper_Security - 6 years ago
"Don't get a hard on guys. It's probably just a honey pot. Don't get any ideas and don't hack it from your IP lol, unless you are inviting a court order."
Nope, not a honeypot.
https://honeyscore.shodan.io/ (IP: 209.238.99.227)
http://whois.domaintools.com/giulianisecurity.com
Please don't assume it's a honeypot until you look.
KennysLab - 6 years ago
Yeah it WAS a real system at the time, now it's just being cloned and put onto a DMZ with a typical NIDS to track attackers. Your honeypot check does nothing.
KennysLab - 6 years ago
I know I'd cover all these bases if I were a creditable cyber forensic specialist.
Viper_Security - 6 years ago
"I know I'd cover all these bases if I were a creditable cyber forensic specialist.
"
aww you're cute SKid, And good thing I'm not a "Cyber Forensic Specialist" hahahaha. I'm an IT Auditor/Security Professional.
Also, clone DOES NOT mean honeypot. it means it's a clone, :)
Also, i think you mean "credible"
KennysLab - 6 years ago
Oh brother... Mr. snarky here. You can clone the disk drive of a outdated web server and put it on a DMZ. Then when someone attacks it. Setup a NIDS and log the information. Depending on whether or not the hacker threw everything over the TOR network or some sort of proxy would allow them to go after him and use him and question him for leads.
But idk, I'm just a script kid apparently. Or maybe you have an ego and are looking for ways to improve your Epeen. Guess we'll never know.
Viper_Security - 6 years ago
"Oh brother... Mr. snarky here. You can clone the disk drive of a outdated web server and put it on a DMZ. Then when someone attacks it. Setup a NIDS and log the information. Depending on whether or not the hacker threw everything over the TOR network or some sort of proxy would allow them to go after him and use him and question him for leads.
But idk, I'm just a script kid apparently. Or maybe you have an ego and are looking for ways to improve you Epeen. Guess we'll never know."
....Do you even understand what you just said? and no ego here, i have proof i know what im doing unlike some people :) also, "E-Peen" is not a real word, maybe you should get off the interwebz go back to school and re-learn English.
Also I don't think you understand what "E-Peen" is actually meant to mean; Ego. so there for your comment is redundant :)
should also touch up on your TOR knowledge hahahahahahaha, and even if you have a "NDIS" that intrusion detection system will be useless against certain people.
Personally, I don't think you fully understand what you are talking about. whatsoever.
Do you even know how TOR works? lmao. and yes you are a SKid, compared to me, i don't use other people's scripts, i write my own. I don't use "tools" like NTFS SKids will, (undoubtedly destroying their machine)
Come to my level of education and then try this again.
KennysLab - 6 years ago
BTW, I like to educate people. Cyber Forensics is an actual profession and it typically involves the GOVERNMENT. https://en.wikipedia.org/wiki/Computer_forensics
Viper_Security - 6 years ago
"BTW, I like to educate people. Cyber Forensics is an actual profession and it typically involves the GOVERNMENT. https://en.wikipedia.org/wiki/Computer_forensics"
you ARE as stupid as you come off. I nor anyone here said that it was not a profession.
Re-Learn english
KennysLab - 6 years ago
Yeah you're just a troll. Lol... You're not even putting up an argument.
"go aftr rammer cause i no idea how to challeng his arugument cause it maks sense. btw i can trak ip with my python script -- lib url lololol cookie grab, packet sniff w/ python 3.0 cause i aint a nub too, fuk 2.7. go back to school nub. i'd build gui and buffer overflow u all day with my C skillz. u C student, me C pro.
This is the level of your argument.
Viper_Security - 6 years ago
"Yeah you're just a troll. Lol... You're not even putting up an argument.
"go aftr rammer cause i no idea how to challeng his arugument cause it maks sense. btw i can trak ip with my python script -- lib url lololol cookie grab, packet sniff w/ python 3.0 cause i aint a nub too, fuk 2.7. go back to school nub. i'd build gui and buffer overflow u all day with my C skillz. u C student, me C pro.
This is the level of your argument."
LOL your english is pathetic.
and C, pathetic, lawl. if i was a troll why do i have over 700 posts, and you have zero :) also, unlike your nab 4$$ I have contracts with well, nonya :)
"buffer Overflow" LOL try me, :) i dare you :) you want to play with an IT Auditor, that's fine, but don't cry like a bitch when i destroy your machine.
woody188 - 6 years ago
Kind of sensationalism. It's just a shared account at Verio: http://www.verio.com/ Probably just a standard Cpanel shell. Shame on Verio for not keeping their servers up to date!
Rudy "The Ghoul" Giuliani is a horrible choice, but we have to keep in mind the position isn't really a technical one. He ran New York so he can probably run a cyber division with all the horrible politics involved in DC.
GT500 - 6 years ago
Funny, I just got done setting up a new Linux server, and it sounds like I did a much better job than Trump's Cyber Security Advisor... Too bad I can't give The Donald a call, and tell him about some of the Cyber Security experts I know. :P
DodoIso - 6 years ago
Viper, I don't understand why you are venting like this. Take it easy! Kenny's theory is perfectly plausible as well. Personally, I'd add a MongoDB server as well.
Viper_Security - 6 years ago
"Viper, I don't understand why you are venting like this. Take it easy! Kenny's theory is perfectly plausible as well. Personally, I'd add a MongoDB server as well."
I normally Don't, but when someone says "it's probably a honeypot" without having checked first, it kind of makes the site, regardless of owner look bad/become "under question" even more than it already had been. they knew, they took it down. for one to automatically assume a high govt official's webpage is a honeypot?
C'mon, we all know that's not safe to do.
HolyCowz - 6 years ago
Trumps hair scares me he may use honey to glue it in place lol
KirkLash - 6 years ago
Please tell me it wasn't listening on port 389... Why would they have plain-text LDAP open??