Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security United Kingdom Your Rights Online

FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers 108

An anonymous reader writes: Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye's Apache-based security servers as 'root' — meaning that any attacker able to compromise the servers would have had absolute power over all its operations and commercial connections.
This discussion has been archived. No new comments can be posted.

FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers

Comments Filter:
  • What? (Score:5, Funny)

    by Etherwalk ( 681268 ) on Thursday September 10, 2015 @04:51PM (#50498979)

    Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections?

    We're not the general public. We're nerds. Don't submit articles written for people who don't know what "root" is.

    • Re: (Score:3, Informative)

      Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections

      Well, as "regular users" and "technically oriented" people we may not require "definitions" but "no-technical people" (aka "ordinary end users") may require "things" be more "spelled out" so they "understand" that the word is a "technical term". heh

      • Awhile ago, slashdot let a bunch of people making web sites create logins here. Sure, they believe they are "developers", but you have to explain stuff real slow to them.

    • Re:What? (Score:4, Informative)

      by satch89450 ( 186046 ) on Thursday September 10, 2015 @07:33PM (#50499935) Homepage
      It's proper writing style to enclose text like user names and passwords in some sort of quotation mark in formal writing. I do it all the time in magazine articles, white papers, and technical documentation.
      • It's actually more proper to use <literal> elements for these cases.

        Oh, you're not using DocBook?

        Too bad.

        Nevermind.

        • I used to use italics for such things in magazines, until one of my editors set me straight on the proper style. (The copy desk would do the conversions silently.) I suppose it's a matter of where the material is to appear, and the style the publication wants to use.
      • Yes, it's certainly an acceptable style on its own, but combined with the fact that they were trying to *define* it, it became obvious that it was written badly for a non-technical audience.

    • and really what's the point any more, so now you have root on some limited VM that only has access to the same connections you would have as any other user that apache may be running as. Ohh, but you could install drivers or some crap? Who cares, delete the vm fix the security leak in the config management and redeploy.

      • by rtb61 ( 674572 )

        The point is "U.S. security company FireEyeâ(TM)s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite", so the legal attempts to silence exsopire,obviously they thought it was really, really bad, otherwise why spend money for lawyers and "Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully.".

        So basically be smart piss of

  • Only one word - Ouch!
  • by bob_super ( 3391281 ) on Thursday September 10, 2015 @04:57PM (#50499035)

    I was just staring at Process Explorer, wondering why my company decided that the FireEye policy would allow it to max out one of my cores in the middle of the afternoon.

  • by Anonymous Coward

    Why, it is their intellectual property, it has to be protected. I suppose you could protect it in many different ways, they decided to rely on their lawyers to do it. Couldn't rely on their sysadmins to do it, quite obviously they haven't got any.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Thursday September 10, 2015 @05:00PM (#50499067) Homepage

    is not that they were running Apache as root - although that it a stupid thing to do, it could have been an oversight (just about). What is of major concern is how they try to hide their mistake by abuse of legal system - this abuse is not an oversight and only makes me wonder what else FireEye is hiding -- I would think 3 times before hiring them.

    I am also disgusted at the German judge who gave an ex-parte order without having a return date so that the defendant (security researcher) could present his side of the argument. It does happen often in spite of heads of courts saying that it must not happen (in some UK court divisions anyway).

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      No, the really worrying part is that a modern tech company actually believed a court order would stop the spread of information.

    • by tnk1 ( 899206 ) on Thursday September 10, 2015 @05:25PM (#50499215)

      When does a "security company" not understand that you don't run a webserver as root? Just about every distro's webserver package will make a webserver run as a non-root user by default. These guys not only overlooked the fact that their webserver was running as root, they probably rolled their own web server install to begin with to even make that possible.

      As someone else pointed out, they must have used lawyers to protect their data, because they clearly didn't employ any system administrators.

      • by Anonymous Coward

        Shove the damn app into a docker container (kernel namespace) with read only storage. In this day and age, every application (even apps on your mobile phone) should be jailed in isolation. If someone manages to get "root" inside the jail, big deal, they can be king of the jail cell but not the entire prison.

        • by mlts ( 1038732 ) on Thursday September 10, 2015 @05:38PM (#50499307)

          SELinux is quite similar. Root might let them out of the cell, but they are not getting out of the cellblock. However, the ideal is definitely a docker container, just because it can run anywhere.

          • Nobody has replied about how easy it is to get out of a docker container so they are insecure crappy software that can't run in enterprise.

            Of course it means that someone has to break your code AND break docker, no matter how easy docker is to break it's still harder than not using docker.

        • every application (even apps on your mobile phone) should be jailed in isolation.

          Modern phone OSes already work this way. Additionally, applications downloaded from the Apple OS X store or Microsoft's Universal Apps also use a stronger permissions system and sandboxed model, as far as I understand.

          I agree that docker containers are a good starting point, but keep in mind they're not the end-all, be-all of security. Remember, exploits have been found that allow applications to escape virtual machines, and we've seen plenty of other sandboxes breached, so it seems foolish to believe tha

          • There have been plenty of security holes with Docker. Many of them were (and are) just simple misconfigurations, such as you could make with any security model (but Docker definitely doesn't inherently safeguard you from them, though its defaults have gotten better). Some were bugs in Docker itself, though they've gone pretty well there. Some were Linux bugs nobody had looked for / cared about until people started trying to do things like restrict root to not *actually* be root.

            Don't get me wrong, the whole

      • by spauldo ( 118058 )

        It's worse that that.

        I used to compile Apache myself (now I just use FreeBSD's port) and do all the setup manually.

        You have to intentionally set it to run as root. Every piece of documentation, including the sample config file, has the configuration set up to run as a user.

        The only way you could "accidentally" run it as root would be if you started with a blank config and only read part of the documentation. I have a hard time believing that anyone would actually do that.

        No, if they're running as root, th

        • Precisely. Amenities like selinux and docker containers are all very well, but most distros these days install an apache or http userid and run Apache under that ID and ONLY if you deliberately switch it off will you EVER run apache as root.

          Something's rotten in the State of Denmark.

        • then you have not read the "linuxQuestions" forum
          the bleeped bleeps that do not even BOTHER to read and study the documentation and think a few mouse cklicks will install and CONFIGURE it

          i am in the group that ENCOURAGES that new to Apache people build the stack from source and manually install the parts about 12 times
          then use the package manager to save 30 min to 1 hour on install time

        • No, if they're running as root, they have a reason. I have no idea what that reason could possibly be, but there has to be one.

          Five will get you ten that they had a permissions problem and instead of fixing it right, they "solved" it by running the webserver as root.

      • by gweihir ( 88907 )

        Was possibly outsourced somewhere where they have even less skill (because the skilled ones all left...) and then not really tested or looked at because that costs money. This is a sign of clear and present danger from all Fire-Eye products though, as they apparently do not even understand the basics.

    • by gweihir ( 88907 )

      Well, the take-away is clearly to never ever buy Fire-Eye, as they will shamelessly lie about their incompetence. Of course, the same applies to most other vendors. Capitalism screws most people up that way.

    • by ebvwfbw ( 864834 )

      Running a web server as root is a 1990s thing. We used to laugh at it, fix it. 10 years ago it was considered professional incompetence. Today, for a security company, it's unforgivable. If you install apache on any of these distros, it's not root by default. Hasn't been for well over a decade. Meaning they had to set it that way. Probably because they weren't smart enough to get something to work using the regular security access controls. I bet - turn selinux off, set stuff to 777... hell run it as r

  • by unimacs ( 597299 ) on Thursday September 10, 2015 @05:08PM (#50499113)
    Sometimes the companies most in need of the services they provide are themselves.

    I frequently walk by this handyman's house where he has a sign advertising his various services including painting. I shake my head every time I see it because his house needs a good paint job more than any other house on the block.
    • I used to regularly pass by a auto repair shop whose sign read "Percision Automotive".

    • by spauldo ( 118058 )

      I do woodworking as a hobby.

      I recently fixed a cabinet for a family member. A glue joint had come loose, not a big deal.

      My cabinets are missing half the doors and two of the drawers are busted. I just never seem to get around to fixing it...

      • I do woodworking as a hobby.

        I recently fixed a cabinet for a family member. A glue joint had come loose, not a big deal.

        My cabinets are missing half the doors and two of the drawers are busted. I just never seem to get around to fixing it...

        No different than people who work in IT, programming, etc and don't backup their systems....

  • Running httpd as root really solves a lot of those file permissions problems when you writing files with cgi :)

  • by nedlohs ( 1335013 ) on Thursday September 10, 2015 @05:21PM (#50499199)

    Well not without compiling from source with -DBIG_SECURITY_HOLE set, which surely provides a "maybe we are doing this wrong" double check...

  • by Anonymous Coward

    I mean, how else are you going to be able to listen on port 80?

  • A "security" company running their servers as root...honestly, you can't make this stuff up.

  • by Anonymous Coward

    Per FireEye's official response to the The Stack article: "No company in the world would want their IP revealed. "

    Wait, they *were* using open source software. Now I'm really confused...

    • From the Forbes article [forbes.com], there were many problems, with running the webservers as 'root' just one of them. Another was a pair of zip email attachments could trigger the FireEye software to "open the files for analysis and in doing so open a backdoor on its appliance". It sounds like the researcher heavily redacted his presentation, then presented, which is why we know what we do. It also means a lot of other juicy bits were probably removed and not presented, so the bad we know about (which is bad) is ju
    • "No company in the world would want their IP revealed. "

      Of course not.

      Specially if you are running a daemon with root privileges on a port on that IP.

  • by YesIAmAScript ( 886271 ) on Thursday September 10, 2015 @05:47PM (#50499373)

    If you do work for hire, you do not control whether you can publish information you discovering doing that work.

    And what kind of security consultant airs his customers' dirty laundry? Not one that wants future customers.

    If he had found this on his own, it'd be his call. But if he did it for FireEye, it's FireEye's call.

  • Yeah but running everything as root is super-convenient, guys.

  • Three (3) weeks to serve the injunction? Someone has a new pair of shoes...
  • by h33t l4x0r ( 4107715 ) on Thursday September 10, 2015 @06:07PM (#50499487)
    It turned out that the root password was "password"
    • "It turned out that the root password was "password""

      DAMN! Now I know how they managed to resist my cracking attempts: I didn't think about the double quotes on "password"!

  • by nickweller ( 4108905 ) on Thursday September 10, 2015 @07:59PM (#50500017)
    "We tried to conceal from the researchers to publish our IP. No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected." ref [thestack.com]
  • Clickbait Headlines (Score:2, Interesting)

    by Anonymous Coward

    So looking at this in depth, it looks like FireEye has already publicly disclosed said vulnerabilities after fixing them months ago. They then try to stop the presentation because it allegedly reveals too much of their IP (which is itself worth discussing but totally separate) and we get a bunch of headlines saying "ZOMG! FireEye is trying to silence people for revealing vulnerabilities!". This is trigger happy, bullsh*t journalism at its finest. Not quite accurate or informative but just close enough t

  • Hmm, what is a "server", and what does it "do"?

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...