Wisconsin does not have any licensing requirements for roofing. Anyone – and I mean anyone can declare themselves a “roofer” and start a roofing company.
If you’re having roofing work done, you could have a seasoned professional redo your roof, or you could have someone’s nephew show up with a bucket of tar, a nail gun, and unearned optimism. Unfortunately, you’ll never know whether you hired the right person until the middle of the next heavy rainstorm.
Likewise, anyone can claim to be a cybersecurity expert. That includes highly public figures, such as Rudy Giuliani. In January 2017, then President-elect Trump named Rudy Giuliani as his administration’s cybersecurity advisor during the transition period.
Back in 2017, I remember being surprised by the announcement. I had no idea that Giuliani ran a security company, let alone a cybersecurity company. I wasn’t the only one caught off guard by the announcement, and it turned out I wasn’t the only one curious about Giuliani Security.
Curious users promptly investigated giulianisecurity.com and discovered that the site had many vulnerabilities and was impressively out-of-date, as discussed in this r/technology thread. The site exposed SSH and MySQL to the public internet. Based off of the joomla! and OpenSSH versions installed, the server had not been patched in years. Whatever Giuliani believed about cybersecurity, he clearly didn’t practice those beliefs to his own site.
Anyone can call themselves a roofer.
Hours after news broke regarding giulianisecurity.com’s many vulnerabilities, one of the admins for that domain responded. As a self-identified cybersecurity professional, Giuliani knew his organization had to respond to the vulnerabilities on the giulianisecurity.com site. Would the organization could mitigate the risk? Would they transfer the risk to another party? Avoid it? Accept it?
We’ll never know for sure the intention of the admin in question, but someone left the site unpatched with the same ports and services exposed, but removed the A records that directed queries to that particular site. I suppose this was a misguided attempt at risk avoidance, but the server – with all of its potentially private info, and likely itself inside giulianisecurity.com’s DMZ – remained up and accessible. To this day, Giuliani Partners LLC still has the giulianisecurity.com domain registered, and, to this day the A record for the root domain has never been restored. Fortunately, , the former WAN IP for giulianisecurity.com has since stopped exposing ports 3306 and 22 to the public internet.
However, the story of Rudy Giuliani’s misadventures in web hosting are far from over. According to SecurityTrails.com’s DNS history for the domain, on October 21st, 2021, someone pointed the A record for www.giulianisecurity.com at a new Azure site.
The comedy of errors continues:
- Whoever decided to make the site accessible via DNS again remembered to add an A record for WWW, but forgot to provide a record for the root of the domain. giulianisecurity.com gives you nothing, and WWW gives you the new (as of 2021) site.
- The site is still vulnerable to SQL injection and XSS, and lit up a free security scanner like a Christmas tree:
- The site does not redirect HTTP connections to HTTPS, but at least it serves HTTPS connections now upon request.
- While the site does provide a HTTPS connection, the site still doesn’t have a valid SSL certificate installed for the domain. The certificate returned is for *.azurewebsites.net, rather than for www.giulianiservices.com.
Anyone can call themselves a roofer. No one will know if they hired the right roofer for the job until after the leaks have started.
POSTSCRIPT: To Mr. Giuliani’s credit, giulianisecurity.com’s SPF record is set with a hard fail by default (-all) and has been set with -all since 2016 per dnshistory.org, so at least there’s that. Additionally, the new site has cleared the hadopelagically low bar of closing 3306 and 22 to the public internet:
