On Thursday, Donald Trump’s transition team announced that Rudy Giuliani would be forming a cybersecurity team for the US President-elect, citing the former New York City mayor’s 16 years of experience “providing security solutions in the private sector”. In all those years, however, it appears that Giuliani never checked the defences of his own company’s website, giulianisecurity.com, which is a bona fide security nightmare.
As detailed by Phobos Group founder Dan Tentler and others, the website for Giuliani Security & Safety is an all around disaster that runs on an ancient version of Joomla!, a free to use content management system (CMS). In the almost four years since the version that Giuliani’s site uses was released, more than a dozen vulnerabilities have been documented in the CMS.
That, unfortunately, isn’t even the worst of it. The site fails to follow a number of other basic best practices that would be obvious to the most casual student of cyber security. Among other things, both the CMS’ login page and the server’s remote login system are public, making it far easier for an attacker to access them. It also uses an outdated version of the script language PHP, exposing the site to vulnerabilities that have gone unfixed in the months since that release was last supported.
A cached version of the site (which was down at time of writing).
But you don’t need to try to hack the site to see how it fails the smell test: Just visiting shows how poorly set up it is. As it uses an expired SSL certificate, visitors cannot be certain the identity of Giuliani’s site is valid and can be trusted. And because it doesn’t force users to use the secure HTTPS protocol, communication is insecure by default.
Also, it uses Adobe Flash, a well-known (if ubiquitous) security disaster.
Of course, it’s unlikely that Giuliani (who has, at best, a mostly profit-oriented understanding of cyber security) built the site himself. But it hardly inspires confidence in the man charged with organising a team to “help the government plan to make us more secure”.
“Our [cyber] offence is way ahead of our defence,” Giuliani told reporters during a conference call on Thursday. “We’ve let our defence fall behind.” Starting, it seems, with his very own security firm.