Friday, January 13, 2017

About that Giuliani website...

Rumors are that Trump is making Rudy Giuliani some sort of "cyberczar" in the new administration. Therefore, many in the cybersecurity scanned his website "www.giulianisecurity.com" to see if it was actually secure from hackers. The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.

But here's the deal: it's not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It's there only because people expect if you have a business, you also have a website.

That website designer in turn contracted some basic VPS hosting service from Verio. It's a service Verio exited around March of 2016, judging by the archived page.

The Verio service promised "security-hardened server software" that they "continually update and patch". According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you'd expect from a legacy hosting company that's shut down some old business.

You can probably break into Giuliani's server. I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses.

But that doesn't matter. There's nothing on Giuliani's server worth hacking. The drama over his security, while an amazing joke, is actually meaningless. All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong.









5 comments:

marypcb said...

So we shouldn't expect someone who has the right skills to set policy on cybersecurity to have taken the time to hire someone competent. If someone gets a job setting transport policy, would it be relevant that they'd hired a driver without checking they didn't have a record of drunk driving, or even no actual driving licence? The details of the insecurities don't matter; the fact that he didn't set a policy for his contractor to protect the site or maybe even know how to vet them seems slightly relevant

Michael Peterson said...

> There's nothing on Giuliani's server worth hacking.
https://www.troyhunt.com/all-websites-have-something-of-value-for-attackers-reputation/

I get that you like to play devils advocate, and most of the time I appreciate it. However, I don't think you made a convincing argument here. While he may not personally be responsible for the security of the website, I would expect him, as "cyberczar", to at least be able to hire and oversee the talent necessary to secure a website.

Colin McD said...

I agree with those above. I don't expect Giuliani to have any idea on how to code a website. I do expect him to at least tap the right people on the shoulder.

Does this matter, No. His NR1 qualification is that he supported Trump, he will now be rewarded. Is it hypocritical to leave his servers open while claiming to be an IT expert, YES. Will it matter to a Trump government? Only if this hypocrisy does not generate enough articles.

We now live in a very strange distopia.

yoni said...

I am Andrew Alan a hacker who has built a very good reputation and undeniably one of the best hackers you can come across.i have got access to hack into any account and also get to generate passwords for accounts like Facebook,Instagram,Twitter,gmail,yahoo mail,whats-app,we-chat,etc..I also have logins for bank like BOA,welsfargo,chase,credit union,capital one, and many other different banks for transfers and credit card top ups,Retrieving hacked social media accounts,clearing criminal records,increase credit scores,CC hack,hacking computer systems,Website hack,Catch hacker scammers,Phishing emails, that's to mention a few ... You can contact me on.......... andrewalanhacks@gmail.com

Jasmine Lognnes said...

Several time have you posted screenshots of your browser and I'd really like to know which extensions you are using. I see TamperMonkey and Privacy Badger, but the other I can't recognise.

Can you share the names of the others?