About that Giuliani website…

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/01/about-that-giuliani-website.html

Rumors are that Trump is making Rudy Giuliani some sort of “cyberczar” in the new administration. Therefore, many in the cybersecurity scanned his website “www.giulianisecurity.com” to see if it was actually secure from hackers. The results have been laughable, with out-of-date software, bad encryption, unnecessary services, and so on.

But here’s the deal: it’s not his website. He just contracted with some generic web designer to put up a simple page with just some basic content. It’s there only because people expect if you have a business, you also have a website.
That website designer in turn contracted some basic VPS hosting service from Verio. It’s a service Verio exited around March of 2016, judging by the archived page.
The Verio service promised “security-hardened server software” that they “continually update and patch”. According to the security scans, this is a lie, as the software is all woefully out-of-date. According OS fingerprint, the FreeBSD image it uses is 10 years old. The security is exactly what you’d expect from a legacy hosting company that’s shut down some old business.
You can probably break into Giuliani’s server. I know this because other FreeBSD servers in the same data center have already been broken into, tagged by hackers, or are now serving viruses.
But that doesn’t matter. There’s nothing on Giuliani’s server worth hacking. The drama over his security, while an amazing joke, is actually meaningless. All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong.