The Website of Donald Trump's Cyber Security Advisor Is Insecure as Hell
On Thursday, Donald Trumps transition team announced that Rudy Giuliani would be forming a cybersecurity team for the President-elect, citing the former New York City mayors 16 years of experience providing security solutions in the private sector. In all those years, however, it appears that Giuliani never checked the defenses of his own companys website, giulianisecurity.com, which is a bona fide security nightmare.
As detailed by Phobos Group founder Dan Tentler and others, the website for Giuliani Security & Safety is an all around disaster that runs on an ancient version of Joomla!, a free to use content management system (CMS). In the almost four years since the version that Giulianis site uses was released, more than a dozen vulnerabilities have been documented in the CMS.
That, unfortunately, isnt even the worst of it. The site fails to follow a number of other basic best practices that would be obvious to the most casual student of cyber security. Among other things, both the CMS login page and the servers remote login system are public, making it far easier for an attacker to access them. It also uses an outdated version of the script language PHP, exposing the site to vulnerabilities that have gone unfixed in the months since that release was last supported.
But you dont need to try to hack the site to see how it fails the smell test: Just visiting shows how poorly set up it is. As it uses an expired SSL certificate, visitors cannot be certain the identity of Giulianis site is valid and can be trusted. And because it doesnt force users to use the secure HTTPS protocol, communication is insecure by default. Good luck going to the site right now, though: the page is currently down.
Also, it uses fucking Adobe Flash, a well-known (if ubiquitous) security disaster.
http://gizmodo.com/the-website-of-donald-trumps-top-cyber-security-advisor-1791145791