Former New York Mayor Rudy Giuliani, who's been tapped by U.S. president-elect Donald Trump to lead a cybersecurity corporate outreach program, runs a security consulting company with a website that's been given an "F" for its security.
See Also: Threat Intelligence - Hype or Hope?
On Jan. 12, Trump's transition team released statements announcing that Giuliani would be facilitating a series of ongoing meetings with corporate executives to discuss their cybersecurity challenges.
"The irony of this story should not escape anyone who has ever advised on cybersecurity."
"The President-elect's intent is to obtain experiential and anecdotal information from each executive on challenges faced by his/her company, how the company met the challenges, approaches which were productive or successful, and those which were not," according to the statement released by Trump's transition team. "No consensus advice or recommendations resulting from group deliberations or interaction is expected or will be solicited."
Giuliani, formerly U.S. Attorney for the Southern District of New York, now heads security consulting firm Giuliani Partners and is also chairman of the global cybersecurity privacy and crisis management practice at the law firm Greenberg Traurig. He also advised Trump's presidential campaign.
For a man who's been tapped to keep Trump informed on cybersecurity best practices - and who's reportedly being mooted as some type of cybersecurity czar in the upcoming White House administration - it's notable that the website for Giuliani Partners earned a failing grade from the Qualys Labs SSL assessment service.
Michael Fienen, a senior developer at staffing firm Aquent, notes via Facebook that the Giuliani Partners website commits a number of security errors.
U.K.-based developer Kevin Beaumont, who tweets as "GossiTheDog," says via Twitter: "Rudy Giuliani's cyber company website runs FreeBSD from a decade ago. There's no firewall."
Rudy Giuliani's cyber company website runs FreeBSD from a decade ago. There's no firewall. IMAP, MySQL etc. With old Joomla. Amazing.— Kevin Beaumont (@GossiTheDog) January 13, 2017
As Alan Woodward, a computer science professor at the University of Surrey who advises the EU's law enforcement intelligence agency, Europol, on cybersecurity, notes: "Oops."
Ditto for a security headers scan of the Giuliani Partners site. "There's one thing worse than poor use of security headers & that is no security headers," Woodward says via Twitter. "The irony of this story should not escape anyone who has ever advised on cyber security."
Poor Choice of Hosting Provider?
Trump's transition team couldn't be immediately reached for comment on the security of the corporate website run by Giuliani's company. An email sent to the team's designated contact point bounced back with an error message saying it had been "rejected due to spam classification."
But Robert David Graham, who heads research firm Errata Security, counters that the website is just an outsourced affair, while also noting that Giuliani runs a security business, not a cybersecurity one. "He just contracted with some generic web designer to put up a simple page with just some basic content. It's there only because people expect if you have a business, you also have a website," Graham says in a blog post.
The hosting service in question appears to be run by Verio, he says, and to use a version of FreeBSD that's 10 years old and which has known vulnerabilities. Graham says other servers - in the same data center - had already been broken into and defaced or used to serve malware.
"But that doesn't matter. There's nothing on Giuliani's server worth hacking. The drama over his security, while an amazing joke, is actually meaningless," Graham contends. "All this tells us is that Verio/NTT.net is a crappy hosting provider, not that Giuliani has done anything wrong."
Prediction: 10 months from now Giuliani declares victory at "raising awareness", steps down as cyberczar, makes $$ in private cyber business— Rob Graham (@ErrataRob) January 13, 2017
Following the announcement of Giuliani's cybersecurity role, the website for Giuliani Partners became unreachable. It's not clear if that was due to outside interference or if it was by design, for example, in response to warnings about the site's security deficiencies.
Giuliani Partners didn't immediately respond to my request for comment.
While the security gaffe might not pose an immediate risk to Giuliani or data relating to his business, symbolically speaking, the failure of the upcoming President's cybersecurity adviser to ensure that his own website is secure can only be seen as unfortunate, at best.