Fireeye runs a bunch of its processes as root, a practice that’s been a no-no since the late 1990s, and they’re more interested in litigation than they are in working with the guy who discovered it.
The attitude is all too common.
A couple of years ago I was working for a large company installing Log Logic, a log aggregation appliance that costs as much as a decent house in St. Louis, and I had to perform a semi-documented hack to get it to work the way it was specified. The instructions didn’t make any sense, but the field service tech assured me they worked. She didn’t admit Log Logic runs everything as root, but it only took me a few seconds to confirm it. Log Logic appliances have one user on the operating system level–root–and they add insult to injury by doing everything in MySQL as root as well. A passwordless root user, at that.
When I told Tibco, the makers of Log Logic, that this was a terrible practice, they argued with me. I did manage to talk to a director, but all he said was that they determined this isn’t a problem, then fell back on an appeal to authority, talking about how highly respected their engineers are.
I happened to know that Dell Secureworks resells a lot of Tibco gear, so I even went to Dell and asked them if they could pressure Tibco into fixing these horrific defects. I don’t know if they had any more success than I did, but they did acknowledge that passwords and least privilege are things we’re supposed to do.
So I’m not all that surprised that Fireeye is more interested in litigation than they are in setting up non privileged users on their gear.
A question I’ve heard at almost every job interview the last three or four years has been regarding overlooked security flaws. I have two answers to that question that usually send people scrambling for a pen and paper. The first thing I say is that networking gear, like switches and routers, frequently get updates but people rarely deploy them. The other thing I say is that security appliances are often more vulnerable than the non-security gear they’re supposed to protect, and we don’t necessarily get updates to fix that.
The security fix for Log Logic is to replace it with Splunk. But I’m not sure what you’re supposed to do to replace Fireeye.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.