FireEye Tries to Bury Keynote Reporting That It Ran Apache As Root On Security Servers 108
An anonymous reader writes: Leading network security company FireEye, which has customers in government and the Fortune 500 list, has caused a controversy at a London security conference today after its legal attempts to stop a keynote speech detailing the repair of major security loopholes in its customer-facing systems this year. Reported among these now-fixed vulnerabilities were the running of a significant number of FireEye's Apache-based security servers as 'root' — meaning that any attacker able to compromise the servers would have had absolute power over all its operations and commercial connections.
What? (Score:5, Funny)
Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections?
We're not the general public. We're nerds. Don't submit articles written for people who don't know what "root" is.
Re: (Score:3, Informative)
Why is 'root' in quotes? Why is it defined (poorly) as if it were this mysterious thing giving absolute power over "commercial" connections
Well, as "regular users" and "technically oriented" people we may not require "definitions" but "no-technical people" (aka "ordinary end users") may require "things" be more "spelled out" so they "understand" that the word is a "technical term". heh
Re: (Score:2)
Awhile ago, slashdot let a bunch of people making web sites create logins here. Sure, they believe they are "developers", but you have to explain stuff real slow to them.
Re:What? (Score:4, Funny)
I run all my security-sensitive services as the "streisand" user
Re: (Score:1)
I run all my security-sensitive services as the "streisand" user
# id babbs
uid=0(root) gid=0(root)
#
Re:What? (Score:4, Informative)
Re: (Score:2)
It's actually more proper to use <literal> elements for these cases.
Oh, you're not using DocBook?
Too bad.
Nevermind.
Re: (Score:2)
Re: (Score:2)
There is no such things as proper style. Just subjective standards pushed on people.
Re: (Score:2)
Yes, it's certainly an acceptable style on its own, but combined with the fact that they were trying to *define* it, it became obvious that it was written badly for a non-technical audience.
Re: (Score:2)
and really what's the point any more, so now you have root on some limited VM that only has access to the same connections you would have as any other user that apache may be running as. Ohh, but you could install drivers or some crap? Who cares, delete the vm fix the security leak in the config management and redeploy.
Re: (Score:2)
The point is "U.S. security company FireEyeâ(TM)s attempts to stifle any public disclosure of a major series of vulnerabilities in its suite", so the legal attempts to silence exsopire,obviously they thought it was really, really bad, otherwise why spend money for lawyers and "Felix Wilhelm, a security researcher for ERNW GmBH, made FireEye aware of the vulnerabilities five months ago, and reportedly worked with the company to help them resolve the issues successfully.".
So basically be smart piss of
Ouch (Score:1)
Re: They want to lay the blame on a guy named roo (Score:1)
I wonder what happens when Robert Oot is assigned a unix login.
Re: (Score:2)
Amusing coincidence... (Score:4, Interesting)
I was just staring at Process Explorer, wondering why my company decided that the FireEye policy would allow it to max out one of my cores in the middle of the afternoon.
Re:Amusing coincidence... (Score:4, Funny)
dumb fux (Score:1)
Why, it is their intellectual property, it has to be protected. I suppose you could protect it in many different ways, they decided to rely on their lawyers to do it. Couldn't rely on their sysadmins to do it, quite obviously they haven't got any.
What is really worrying ... (Score:5, Insightful)
is not that they were running Apache as root - although that it a stupid thing to do, it could have been an oversight (just about). What is of major concern is how they try to hide their mistake by abuse of legal system - this abuse is not an oversight and only makes me wonder what else FireEye is hiding -- I would think 3 times before hiring them.
I am also disgusted at the German judge who gave an ex-parte order without having a return date so that the defendant (security researcher) could present his side of the argument. It does happen often in spite of heads of courts saying that it must not happen (in some UK court divisions anyway).
Re: (Score:3, Insightful)
No, the really worrying part is that a modern tech company actually believed a court order would stop the spread of information.
Re:What is really worrying ... (Score:4, Insightful)
When does a "security company" not understand that you don't run a webserver as root? Just about every distro's webserver package will make a webserver run as a non-root user by default. These guys not only overlooked the fact that their webserver was running as root, they probably rolled their own web server install to begin with to even make that possible.
As someone else pointed out, they must have used lawyers to protect their data, because they clearly didn't employ any system administrators.
Re: What is really worrying ... (Score:2, Insightful)
Shove the damn app into a docker container (kernel namespace) with read only storage. In this day and age, every application (even apps on your mobile phone) should be jailed in isolation. If someone manages to get "root" inside the jail, big deal, they can be king of the jail cell but not the entire prison.
Re: What is really worrying ... (Score:4, Insightful)
SELinux is quite similar. Root might let them out of the cell, but they are not getting out of the cellblock. However, the ideal is definitely a docker container, just because it can run anywhere.
Re: (Score:2)
Nobody has replied about how easy it is to get out of a docker container so they are insecure crappy software that can't run in enterprise.
Of course it means that someone has to break your code AND break docker, no matter how easy docker is to break it's still harder than not using docker.
Re: (Score:2)
Isn't Docker OS agnostic, where a container can be sitting on a Linux box, or a Windows Server 2016 machine (when the OS goes RTM) that either runs the container in the current VM, or spawns a VM using Hyper-V for it.
To me, I read/hear about how great it is for applications to be in the neat little vacuum beds that Docker provides... but the fact that UID root in the container is UID root in the underlying machine or VM is concerning. At least MS solves this by giving the option to put containers in their
Re: (Score:2)
Re: (Score:2)
docker is a different approach to the same problem that VMs solve. UID 0 in a container may be nearly the same as UID 0 outside a container, but the simple fix to that is don't run anything inside the container as UID 0 and don't install anything that grants permission upgrade, they are not needed.
Re: (Score:2)
If you can't trust your developers you shouldn't be blindly deploying their code either.
Re: (Score:2)
every application (even apps on your mobile phone) should be jailed in isolation.
Modern phone OSes already work this way. Additionally, applications downloaded from the Apple OS X store or Microsoft's Universal Apps also use a stronger permissions system and sandboxed model, as far as I understand.
I agree that docker containers are a good starting point, but keep in mind they're not the end-all, be-all of security. Remember, exploits have been found that allow applications to escape virtual machines, and we've seen plenty of other sandboxes breached, so it seems foolish to believe tha
Re: (Score:2)
There have been plenty of security holes with Docker. Many of them were (and are) just simple misconfigurations, such as you could make with any security model (but Docker definitely doesn't inherently safeguard you from them, though its defaults have gotten better). Some were bugs in Docker itself, though they've gone pretty well there. Some were Linux bugs nobody had looked for / cared about until people started trying to do things like restrict root to not *actually* be root.
Don't get me wrong, the whole
Re: (Score:3)
It's worse that that.
I used to compile Apache myself (now I just use FreeBSD's port) and do all the setup manually.
You have to intentionally set it to run as root. Every piece of documentation, including the sample config file, has the configuration set up to run as a user.
The only way you could "accidentally" run it as root would be if you started with a blank config and only read part of the documentation. I have a hard time believing that anyone would actually do that.
No, if they're running as root, th
Re: (Score:3)
Precisely. Amenities like selinux and docker containers are all very well, but most distros these days install an apache or http userid and run Apache under that ID and ONLY if you deliberately switch it off will you EVER run apache as root.
Something's rotten in the State of Denmark.
Re: (Score:2)
then you have not read the "linuxQuestions" forum
the bleeped bleeps that do not even BOTHER to read and study the documentation and think a few mouse cklicks will install and CONFIGURE it
i am in the group that ENCOURAGES that new to Apache people build the stack from source and manually install the parts about 12 times
then use the package manager to save 30 min to 1 hour on install time
Re: (Score:2)
Five will get you ten that they had a permissions problem and instead of fixing it right, they "solved" it by running the webserver as root.
Re: (Score:2)
Was possibly outsourced somewhere where they have even less skill (because the skilled ones all left...) and then not really tested or looked at because that costs money. This is a sign of clear and present danger from all Fire-Eye products though, as they apparently do not even understand the basics.
Re: (Score:2)
"Preview" is for sissies. Cool people use "Cancel".
Re: (Score:3)
Meh. Too much meth. Seriously hallucinating.
Port 80 has been around a long time. 8080 got nominated for things like Tomcat which cannot chroot themselves.
Wikipedia says you're wrong (Score:2)
I wish you kids would stop running your mouths while the adults are talking. Port 8080 has been used since the beginning for the web. It was used long before Java even existed.
According to Wikipedia, the "web" was created in November of 1990, and Java in June 1991.
Also according to Wikipedia, port 8080 is associated with Tomcat.
You may now apologize to RabidReindeer for being wrong and disrespectful, and also apologize to adults in general for making stupid statements in their name.
Re: (Score:2)
the grumpy said "long before java was even created", not tomcat. I just wanted to let him see how annoying it is when someone takes stuff verbatim and uses it to "prove" someone wrong, like he did to the other guy. And he has the audacity of telling other people to stop posting, as if he was the owner of this forum. Disrespectful.
Anyways if we were to consider this thing in the context of this story, which is security experts running their web server as root, the relevance of whatever the fuck port 8080 was
Re: (Score:2)
> connects to a port 1023,
That is not what I wrote. I know it is less than port 1024. I wrote less than or equal to. It is sad this site is such shit that the people running it feel the need to corrupt what we post. I did not post that. /. is trying to make us look like idiots by misquoting us.
/. comments allow HTML tags so it tries to interpret < and > as HTML. Your point is stupid in the first place, I wish ./ would have just deleted it. Pretty much any service that needs to open a privileged port opens the port and then executes the server under a service user rather than root. Apache comes configured like this by default on any Linux platform I have ever seen, they would have had to manually change the config to make it run as root.
Re: (Score:2)
Your point is stupid in the first place, I wish ./ would have just deleted it.
No, for that the syntax is ./rm, but only if your current working directory is /bin. Also depending on your distro you may have to add -f otherwise it won't just delete things, it will ask for a confirmation first.
Re: (Score:2)
What's tragic is that, in this second decade of the 21st Century, there are still ignorami who don't know what entity references are for.
Re: (Score:2)
Re: (Score:2)
Well, the take-away is clearly to never ever buy Fire-Eye, as they will shamelessly lie about their incompetence. Of course, the same applies to most other vendors. Capitalism screws most people up that way.
Re: (Score:1)
Running a web server as root is a 1990s thing. We used to laugh at it, fix it. 10 years ago it was considered professional incompetence. Today, for a security company, it's unforgivable. If you install apache on any of these distros, it's not root by default. Hasn't been for well over a decade. Meaning they had to set it that way. Probably because they weren't smart enough to get something to work using the regular security access controls. I bet - turn selinux off, set stuff to 777... hell run it as r
Should really eat your own dog food. (Score:3)
I frequently walk by this handyman's house where he has a sign advertising his various services including painting. I shake my head every time I see it because his house needs a good paint job more than any other house on the block.
Re: (Score:3)
I used to regularly pass by a auto repair shop whose sign read "Percision Automotive".
Re: (Score:2)
P.S.=> Gotta ask: Was the place any good @ fixing rides or what? apk
I don't know first-hand, since they weren't located all that close to where I live; but they do still exist, and fixed their sign perhaps a decade ago - so I'm guessing they must at least be good enough to keep clients.
Re: (Score:2)
I do woodworking as a hobby.
I recently fixed a cabinet for a family member. A glue joint had come loose, not a big deal.
My cabinets are missing half the doors and two of the drawers are busted. I just never seem to get around to fixing it...
Re: (Score:2)
I do woodworking as a hobby.
I recently fixed a cabinet for a family member. A glue joint had come loose, not a big deal.
My cabinets are missing half the doors and two of the drawers are busted. I just never seem to get around to fixing it...
No different than people who work in IT, programming, etc and don't backup their systems....
Re: (Score:2)
How would you feel about a painter who has so little work that he spends all of his time detailing his house?
I'd say he's got at least enough free time to keep his skills up.
If he doesn't have time to do his own house, then he's not using his resources efficiently, as he should either be profitable enough to hire help and free up some time or he's just slapping paint as fast as he can to save money. NEVER trust anyone who's working 100%. They don't have the reserve resources to handle life's obstacles.
Or he's bone lazy and only works when someone's paying (if then).
Root for the convience of it all. (Score:2)
Running httpd as root really solves a lot of those file permissions problems when you writing files with cgi :)
I didn't think you could run apache as root (Score:3)
Well not without compiling from source with -DBIG_SECURITY_HOLE set, which surely provides a "maybe we are doing this wrong" double check...
Of course they ran it as root. (Score:1)
I mean, how else are you going to be able to listen on port 80?
Unbelievable, yet believable (Score:2)
A "security" company running their servers as root...honestly, you can't make this stuff up.
And they hate open source (Score:1)
Per FireEye's official response to the The Stack article: "No company in the world would want their IP revealed. "
Wait, they *were* using open source software. Now I'm really confused...
Re: (Score:3)
Re: (Score:2)
"No company in the world would want their IP revealed. "
Of course not.
Specially if you are running a daemon with root privileges on a port on that IP.
he did this work under contract to FireEye (Score:5, Insightful)
If you do work for hire, you do not control whether you can publish information you discovering doing that work.
And what kind of security consultant airs his customers' dirty laundry? Not one that wants future customers.
If he had found this on his own, it'd be his call. But if he did it for FireEye, it's FireEye's call.
Yeah but (Score:2)
Yeah but running everything as root is super-convenient, guys.
Who paid off the German District Court? (Score:2)
Almost as bad... (Score:3)
Re: (Score:2)
"It turned out that the root password was "password""
DAMN! Now I know how they managed to resist my cracking attempts: I didn't think about the double quotes on "password"!
FireEye wanted to conceal IP .. (Score:3)
Re: (Score:2, Funny)
199.83.131.186 - no big secret.
Re: (Score:3)
Re: (Score:1)
What they don't mention is that IP in this case stands for Idiotic Problems.
Clickbait Headlines (Score:2, Interesting)
So looking at this in depth, it looks like FireEye has already publicly disclosed said vulnerabilities after fixing them months ago. They then try to stop the presentation because it allegedly reveals too much of their IP (which is itself worth discussing but totally separate) and we get a bunch of headlines saying "ZOMG! FireEye is trying to silence people for revealing vulnerabilities!". This is trigger happy, bullsh*t journalism at its finest. Not quite accurate or informative but just close enough t
"server"? (Score:1)