Donald Trump has appointed Rudy Giuliani as his cybersecurity advisor, prompting security experts to cast a critical eye over his consulting firm’s website — and they’re not impressed.
Giuliani’s site is littered with security problems and outdated software, they say, making it extremely vulnerable to hacking.
Since the end of his term as New York City mayor in 2001, Giuliani has — among other things — done security consultancy for various clients. A stalwart Donald Trump supporter, he was originally angling for the position of Secretary of State — but was ultimately appointed cybersecurity advisor for the President-elect, tasked with putting together a team experts in the field.
Rudy Giuliani, former mayor of New York, smiles while arriving to participate in a discussion during the Values Voter Summit with Donald Trump, 2016 Republican presidential nominee, not pictured, in Washington, D.C., U.S., on Friday, Sept. 9, 2016. Trump and his running mate said this week that Russian President Vladimir Putin is a stronger leader than U.S. President Barack Obama, provoking Democratic condemnation and prompting some Republicans to distance themselves. Photographer: Andrew Harrer/Bloomberg via Getty Images
But some experts are finding his consultancy site, giulianisecurity.com, lacking on the security front. It runs a version of Joomla! (a content management system) that is four years out of date and plagued with security flaws, according to Phobos group founder Dan Tetler.
“Giuliani is running a version of PHP that was released in 2013, and a version of Joomla that was released around 2012,” Threat Intelligence director Ty Miller told The Register.
“Using the version information, within minutes we were able to identify a combined list of 41 publicly known vulnerabilities and 19 publicly available exploits. Depending upon the configuration of the website, these exploits may or may not work, but is an indication that Giuliani’s security needs to be taken up a level.”
It also has an expired SSL certificate — essentially the thing that proves to your computer that the website is who it says it is — leaving it vulnerable to being impersonated.
Robert Graham, of Errata Security, points out on his blog that it’s possible that the site isn’t being directly run by Giuliani or his team, however. “But here’s the deal: it’s not his website,” he wrote on his blog. “He just contracted with some generic web designer to put up a simple page with just some basic content. It’s there only because people expect if you have a business, you also have a website.”
The site went down for several hours after it began being scrutinised — it’s not clear why — but it is now back online. An email address on the site did not immediately respond to a request for comment.