A website used to promote the services of Giuliani Security & Safety (GSS), a consultancy firm owned by US President-elect Donald Trump's newly appointed cybersecurity advisor, is being mocked online for – ironically – being openly vulnerable to hackers.
Rudy Giuliani was appointed this week (12 January) and will reportedly now be tasked with chairing meetings between the private sector and government to discuss the main hacking threats they face. A former New York Mayor, Giuliani has spent over a dozen years in the security industry.
Yet all the credentials in the world were deemed moot by a plethora of experts who quickly analysed his corporate website, giulianisecurity.com, and found numerous critical flaws. On Twitter, prominent hacker Dan Tentler pointed to Joomla, the content management system (CMS) used by the website.
According to web developer Michael Fienen, who took to social media to document a number of the issues, there are about 10 critical issues at a quick glance including an exposed CMS login page, expired SSL encryption and the fact it doesn't force an HTTPS connection by default.
It also uses Adobe Flash, a piece of software that is much-maligned in the security industry and has been discontinued by a number of major tech firms in recent years. SSL Labs, which judges the strength of encryption between a server and a browser, graded the website an 'F'.
"The most surprising fact in all of this is that the Giuliani Security website hasn't already been hacked. They might as well put out a sign," Fienen tweeted on 12 January. On Facebook he wrote: "Oh yeah, I totally trust this guy to put together a top notch team to protect us from hackers."
Another cybersecurity expert who analysed the website reported similar results. Ty Miller, a threat intelligence expert, told The Register: "Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits.
"Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani's security needs to be taken up a level," he added.
Robert Graham, a security expert who runs Errata Security, detailed in a blog post how the website has incredibly weak protections, but took a more nuanced approached to the consequences of this.
"The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on," he wrote. "You can probably break into Giuliani's server. I know this because other FreeBSD servers in the same data centre have already been broken into, tagged by hackers, or are now serving viruses. But that doesn't matter. There's nothing on Giuliani's server worth hacking."
Indeed, even if Giuliani is a prolific security consultant, it is likely he did not build the website himself. Additionally, evidence suggests it is not regularly updated – the last story in the "news" section is from 22 June 2016.
Nevertheless, for someone who is now responsible for bolstering the so-called "hacking defense" of the US, as Trump describes it, critics find his website's lack of protections a bad sign for the future. As Giuliani told reporters following his appointment: "We've let our defense fall behind." Quite.