Slashdot Mirror

← Back to Stories (view on slashdot.org)

FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers

Posted by timothy on from the doctor-streisand-on-line-one dept.

An anonymous reader writes: Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye's Apache-based security servers as 'root' — meaning that any attacker able to compromise the servers would have had absolute power over all its operations and commercial connections.

6 of 108 comments (clear)

  1. What is really worrying ... by Alain+Williams · · Score: 5, Insightful

    is not that they were running Apache as root - although that it a stupid thing to do, it could have been an oversight (just about). What is of major concern is how they try to hide their mistake by abuse of legal system - this abuse is not an oversight and only makes me wonder what else FireEye is hiding -- I would think 3 times before hiring them.

    I am also disgusted at the German judge who gave an ex-parte order without having a return date so that the defendant (security researcher) could present his side of the argument. It does happen often in spite of heads of courts saying that it must not happen (in some UK court divisions anyway).

    1. Re:What is really worrying ... by Anonymous Coward · · Score: 3, Insightful

      No, the really worrying part is that a modern tech company actually believed a court order would stop the spread of information.

    2. Re:What is really worrying ... by tnk1 · · Score: 3, Insightful

      When does a "security company" not understand that you don't run a webserver as root? Just about every distro's webserver package will make a webserver run as a non-root user by default. These guys not only overlooked the fact that their webserver was running as root, they probably rolled their own web server install to begin with to even make that possible.

      As someone else pointed out, they must have used lawyers to protect their data, because they clearly didn't employ any system administrators.

    3. Re: What is really worrying ... by Anonymous Coward · · Score: 2, Insightful

      Shove the damn app into a docker container (kernel namespace) with read only storage. In this day and age, every application (even apps on your mobile phone) should be jailed in isolation. If someone manages to get "root" inside the jail, big deal, they can be king of the jail cell but not the entire prison.

    4. Re: What is really worrying ... by mlts · · Score: 3, Insightful

      SELinux is quite similar. Root might let them out of the cell, but they are not getting out of the cellblock. However, the ideal is definitely a docker container, just because it can run anywhere.

  2. he did this work under contract to FireEye by YesIAmAScript · · Score: 5, Insightful

    If you do work for hire, you do not control whether you can publish information you discovering doing that work.

    And what kind of security consultant airs his customers' dirty laundry? Not one that wants future customers.

    If he had found this on his own, it'd be his call. But if he did it for FireEye, it's FireEye's call.

    --
    http://lkml.org/lkml/2005/8/20/95