Slashdot Mirror

← Back to Stories (view on slashdot.org)

FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers

Posted by timothy on from the doctor-streisand-on-line-one dept.

An anonymous reader writes: Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye's Apache-based security servers as 'root' — meaning that any attacker able to compromise the servers would have had absolute power over all its operations and commercial connections.

25 of 108 comments (clear)

  1. What? by Etherwalk · · Score: 5, Funny

    Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections?

    We're not the general public. We're nerds. Don't submit articles written for people who don't know what "root" is.

    1. Re:What? by JustAnotherOldGuy · · Score: 2, Informative

      Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections

      Well, as "regular users" and "technically oriented" people we may not require "definitions" but "no-technical people" (aka "ordinary end users") may require "things" be more "spelled out" so they "understand" that the word is a "technical term". heh

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:What? by Anonymous Coward · · Score: 4, Funny

      I run all my security-sensitive services as the "streisand" user

    3. Re:What? by satch89450 · · Score: 3, Informative

      It's proper writing style to enclose text like user names and passwords in some sort of quotation mark in formal writing. I do it all the time in magazine articles, white papers, and technical documentation.

    4. Re:What? by davester666 · · Score: 2

      Awhile ago, slashdot let a bunch of people making web sites create logins here. Sure, they believe they are "developers", but you have to explain stuff real slow to them.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Amusing coincidence... by bob_super · · Score: 3, Interesting

    I was just staring at Process Explorer, wondering why my company decided that the FireEye policy would allow it to max out one of my cores in the middle of the afternoon.

    1. Re:Amusing coincidence... by l0n3s0m3phr34k · · Score: 3, Funny

      FireEye has replaced nice with "angry". Every thread immediately grabs all the resources it can as soon as it's launched and refuses to give up anything until you reboot every device on the network.

  3. What is really worrying ... by Alain+Williams · · Score: 5, Insightful

    is not that they were running Apache as root - although that it a stupid thing to do, it could have been an oversight (just about). What is of major concern is how they try to hide their mistake by abuse of legal system - this abuse is not an oversight and only makes me wonder what else FireEye is hiding -- I would think 3 times before hiring them.

    I am also disgusted at the German judge who gave an ex-parte order without having a return date so that the defendant (security researcher) could present his side of the argument. It does happen often in spite of heads of courts saying that it must not happen (in some UK court divisions anyway).

    1. Re:What is really worrying ... by Anonymous Coward · · Score: 3, Insightful

      No, the really worrying part is that a modern tech company actually believed a court order would stop the spread of information.

    2. Re:What is really worrying ... by tnk1 · · Score: 3, Insightful

      When does a "security company" not understand that you don't run a webserver as root? Just about every distro's webserver package will make a webserver run as a non-root user by default. These guys not only overlooked the fact that their webserver was running as root, they probably rolled their own web server install to begin with to even make that possible.

      As someone else pointed out, they must have used lawyers to protect their data, because they clearly didn't employ any system administrators.

    3. Re: What is really worrying ... by Anonymous Coward · · Score: 2, Insightful

      Shove the damn app into a docker container (kernel namespace) with read only storage. In this day and age, every application (even apps on your mobile phone) should be jailed in isolation. If someone manages to get "root" inside the jail, big deal, they can be king of the jail cell but not the entire prison.

    4. Re: What is really worrying ... by mlts · · Score: 3, Insightful

      SELinux is quite similar. Root might let them out of the cell, but they are not getting out of the cellblock. However, the ideal is definitely a docker container, just because it can run anywhere.

    5. Re:What is really worrying ... by spauldo · · Score: 2

      It's worse that that.

      I used to compile Apache myself (now I just use FreeBSD's port) and do all the setup manually.

      You have to intentionally set it to run as root. Every piece of documentation, including the sample config file, has the configuration set up to run as a user.

      The only way you could "accidentally" run it as root would be if you started with a blank config and only read part of the documentation. I have a hard time believing that anyone would actually do that.

      No, if they're running as root, they have a reason. I have no idea what that reason could possibly be, but there has to be one. Even VPs' nephews aren't stupid enough to make that mistake.

      --
      Those who can't do, teach. Those who can't teach either, do tech support.
    6. Re:What is really worrying ... by RabidReindeer · · Score: 2

      Precisely. Amenities like selinux and docker containers are all very well, but most distros these days install an apache or http userid and run Apache under that ID and ONLY if you deliberately switch it off will you EVER run apache as root.

      Something's rotten in the State of Denmark.

    7. Re:What is really worrying ... by RabidReindeer · · Score: 2

      Meh. Too much meth. Seriously hallucinating.

      Port 80 has been around a long time. 8080 got nominated for things like Tomcat which cannot chroot themselves.

  4. Should really eat your own dog food. by unimacs · · Score: 2

    Sometimes the companies most in need of the services they provide are themselves.

    I frequently walk by this handyman's house where he has a sign advertising his various services including painting. I shake my head every time I see it because his house needs a good paint job more than any other house on the block.

    1. Re:Should really eat your own dog food. by 93+Escort+Wagon · · Score: 2

      I used to regularly pass by a auto repair shop whose sign read "Percision Automotive".

      --
      #DeleteChrome
  5. I didn't think you could run apache as root by nedlohs · · Score: 2

    Well not without compiling from source with -DBIG_SECURITY_HOLE set, which surely provides a "maybe we are doing this wrong" double check...

  6. he did this work under contract to FireEye by YesIAmAScript · · Score: 5, Insightful

    If you do work for hire, you do not control whether you can publish information you discovering doing that work.

    And what kind of security consultant airs his customers' dirty laundry? Not one that wants future customers.

    If he had found this on his own, it'd be his call. But if he did it for FireEye, it's FireEye's call.

    --
    http://lkml.org/lkml/2005/8/20/95
  7. Almost as bad... by h33t+l4x0r · · Score: 2

    It turned out that the root password was "password"

  8. Re:And they hate open source by dunkindave · · Score: 2

    From the Forbes article, there were many problems, with running the webservers as 'root' just one of them. Another was a pair of zip email attachments could trigger the FireEye software to "open the files for analysis and in doing so open a backdoor on its appliance". It sounds like the researcher heavily redacted his presentation, then presented, which is why we know what we do. It also means a lot of other juicy bits were probably removed and not presented, so the bad we know about (which is bad) is just part of their problems. My guess is they considered what the guy discovered in the process to be revealing of their software's architecture and therefore would be revealing IP.

  9. FireEye wanted to conceal IP .. by nickweller · · Score: 2

    "We tried to conceal from the researchers to publish our IP. No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected." ref

    1. Re:FireEye wanted to conceal IP .. by Anonymous Coward · · Score: 2, Funny

      199.83.131.186 - no big secret.

    2. Re:FireEye wanted to conceal IP .. by jbmartin6 · · Score: 2

      You should never give out your IP address on the Internet!

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  10. Clickbait Headlines by Anonymous Coward · · Score: 2, Interesting

    So looking at this in depth, it looks like FireEye has already publicly disclosed said vulnerabilities after fixing them months ago. They then try to stop the presentation because it allegedly reveals too much of their IP (which is itself worth discussing but totally separate) and we get a bunch of headlines saying "ZOMG! FireEye is trying to silence people for revealing vulnerabilities!". This is trigger happy, bullsh*t journalism at its finest. Not quite accurate or informative but just close enough to get people prematurely worked up in a tizzy for page views.