Half a million databases are wide open to all

Half a million databases are wide open to all
Half a million databases are wide open to all 

By Robert McMillan
IDG news service
14 November 2007

A half a million database servers are without any firewall protection 
according to security researcher David Litchfield.

NGSSoftware managing director, Litchfield took a look at just over 1 
million randomly generated Internet Protocol [IP] addresses, checking 
them to see if he could access them on the IP ports reserved for 
Microsoft SQL Server or Oracle's database. The results? He found 157 SQL 
servers and 53 Oracle servers. Litchfield then relied on known estimates 
of the number of systems on the Internet to arrive at his conclusion: 
"There are approximately 368,000 Microsoft SQl Servers... and about 
124,000 Oracle database servers directly accessible on the Internet," he 
wrote in his report, due to be made public next week.

This is not the first time that Litchfield has conducted this type of 
research. Two years ago, he released his first Database Exposure Survey, 
estimating that there were about 350,000 Microsoft and Oracle databases 

This 2007 version of the Database Exposure Survey is set to be published 
Monday on Litchfield's Database Security website.

With no firewall, databases are exposed to hackers, putting corporate 
data at risk. Litchfield said that, given the amount of press generated 
by corporate data breaches over the past two years, it's amazing to find 
that there are more databases exposed than ever before. "I think it's 
terrible," he said. "We all run around like headless chickens following 
these data breach headlines... organisations out there really don't 
care. Why are all these sites hanging out there without the protection 
of a firewall?"

This year's Oracle tally is actually down from Litchfield's 2005 
estimate, which counted 140,000 Oracle systems. That same study placed 
the SQL server total at 210,000.

The security researcher wasn't sure why Oracle's numbers had declined 
while Microsoft's had risen. "Microsoft's technology is certainly easier 
to install. Maybe the increase in SQL server numbers is simply a 
function of that," he said.

In the 2005 survey, Litchfield found an even larger number of the 
open-source MySQL databases outside of the firewall. The 2007 survey 
does not count MySQL, however.

There was one other disturbing finding in Litchfield's 2007 survey: Many 
of these unprotected databases are also unpatched. In fact, 4 percent of 
the SQL Server databases Litchfield found were still vulnerable to the 
flaw that was exploited by 2003's widespread SQL Slammer worm. "People 
aren't protecting themselves with firewalls and the patch levels are 
atrocious," he said.

About 82 percent of the SQL Servers were running older SQL Server 2000 
software, and fewer than half of those had the product's latest Service 
Pack updates installed. On the Oracle side, 13 percent of the servers 
were running older versions of the database that no longer receive 
patches. These Oracle 9.0 and earlier databases are known to have 
security vulnerabilities, Litchfield said.

Litchfield, who wrote the proof of concept code that was eventually used 
by Slammer, said that this many unsecured databases is enough to sustain 
another worm outbreak. "There's certainly potential there," he said. "So 
the question is what's the likelihood? [That's] much more difficult to 

Visit InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods