So, last week, US president-elect Donald Trump named former New York City mayor Rudolph Giuliani to some kind of cybersecurity role. And, as is par for the course these days, an instant kerfuffle followed.
What did this mean (if anything)? What does Rudy Giuliani know about information security? Given Trump’s perhaps suboptimal clarity on these issues, will this appointment truly help America harden its infrastructure against attack?
Outside the US, Giuliani may be best remembered for helping to unify New York City in aftermath of the September 11 2001 attacks on the World Trade Center. (Less starry-eyed locals also recall he’d personally chosen the World Trade Center to house New York’s emergency command center, even after it had been attacked by terrorists in 1993 — overriding NYPD experts advised by the Secret Service. Of course, the command center itself was destroyed on 9/11, making it worthless in New York’s greatest emergency. But who among us is blessed with perfect judgment?)
More recently, Giuliani has emerged as one of America’s fiercer voices in favor of more aggressive surveilliance of Muslims. So it wasn’t a shock that he became one of candidate Trump’s most prominent early supporters, serving up a red-meat Republican convention speech and rushing to Trump’s side after October’s exposure of Trump’s notorious woman-groping tapes. Some observers expected Giuliani to get a plum cabinet role like Secretary of State or Homeland Security, but such was not to be.
But what does Rudy know about cybersecurity? Well, after leaving City Hall, he founded Giuliani Partners to offer security consulting services, hiring (among others) some law enforcement leaders he’d known in government. Giuliani Partners has grown significantly over the years, and now includes a cybersecurity practice.
You can find out more about Giuliani’s companies at their websites, giulianipartners.com and giulianisecurity.com. Or you could have, had they not vanished from the web last week, though thanks to Internet Archive’s Wayback Machine, you can however check out an older version of giulianisecurity.com, which shows little evidence of infosec domain expertise.)
Before Giuliani’s current sites disappeared, some security experts took a gander at their security – and were seriously unimpressed.
As The Register reported, “Giulianisecurity.com, the website for the ex-mayor’s eponymous infosec consultancy firm, is powered by a roughly five-year-old build of Joomla! that is packed with vulnerabilities. Some… can be potentially exploited by miscreants using basic SQL injection techniques… [It] also has a surprising number of network ports open – from MySQL and anonymous LDAP to a very out-of-date OpenSSH 4.7 that was released in 2007. It also runs a rather old version of FreeBSD.”
Content management specialist Michael Fienen tweeted his own assessment: “Expired SSL. Doesn’t force hhtps. Exposed CMS login. Uses Flash. Using FOL’d PHP version (5.4x). SSL grade of F. Using Joomla 3.11 (released in April 2013 – current is 3.6.5). SSH exposed to public access. FreeBSD 6 (released in 2008). Open ports, so many open ports… Oh, yeah, I totally trust this guy to put together a top-notch team to protect us from hackers.”
In Giuliani’s defense, these were brochureware sites: they didn’t appear to host any sensitive information. In the view of Errata Security’s Robert Graham, their flaws demonstrate only that Giuliani chose a lousy service provider. Still, as Slashdot commenter Anonymous Coward points out, “You might not get anything interesting from the server, but you could use it to infect other systems and visitors, who might be high-profile targets given what it’s hosting.”
You can decide for yourself how troubled you are by Giuliani’s site security. And you can also judge the depth of Giuliani’s personal understanding of these issues by watching his talk at last summer’s BlackBerry Security Summit.
Of course, the Donald isn’t hiring Rudy as a sysadmin. Which raises the question: what exactly will he be doing? Per The New York Times, Giuliani will “share his ‘expertise and insight as a trusted friend’ [and] will ‘from time to time’ assemble meetings between Mr Trump and corporate executives who face cyberthreats, the transition team said”.
That’s pretty vague. But if you’re looking for someone who knows a lot of CEOs personally, Giuliani – who’s made lot of money giving speeches – fits the bill perfectly.