Free Access to Numerous Database Servers Represents Significant Risk
An NGS research during the third week of November 2007 found that 124,000 databases on Oracle and 368,000 SQL servers of Microsoft are open to attacks at various levels.
The survey applied software to collect a random sample of 1.16 Million Internet Protocol (IP) addresses and put them through a test to determine if the database servers were unprotected, i.e., directly accessible on the Internet. On finding any one like that, the software verified the server type and its version and then recorded the details. The software found 53 Oracle servers and 157 SQL servers as unprotected. The final statistics were obtained through an extrapolation process using a total of 2.71 Billion IP addresses.
The report entitled "The Database Exposure Survey 2007" revealed that about 124,000 Oracle servers and 368,000 Microsoft SQL servers did not have a firewall protection making them directly accessible online. The survey was carried out in 2005 for the last time.
According to David Litchfield, author of the survey, these findings point to a significant threat. SearchSecurity reported this on November 14, 2007. Litchfield said, while it is nearly impossible to count the number of systems connected to a commercial dealing, with a little less than half a million servers within open reach, it is clearly possible for outside criminals and hackers to acquire access to these servers and information both sensitive and confidential.
Senior Research Manager Ben Greenbaum with Symantec Security Response said, he was surprised to find the huge number of SQL servers exposed in such a manner. Redmond Channel Partner reported this on November 14, 2007. The exposed servers indicate the absence of proper patching policies in many organizations, Greenbaum said.
However, these findings don't suggest that there is an unsecured element inherent in SQL servers, a spokesman for Microsoft pointed out via e-mail. He further stated, NGS Security had published a paper after searching database servers that were accessible to the general public on the Internet. The search found no new security hole in SQL server. Still, system and database administrators should make sure that a firewall is deployed and configured with local policies on security.
Related article: Free Web Host Services: spammer’s bull’s eye
» SPAMfighter News - 29-11-2007