Survey finds thousands of database servers open to attack

By Robert Westervelt, News Editor 14 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAN FRANCISCO -- A new report from security guru David Litchfield shows that thousands of Microsoft SQL Server and Oracle database servers can be accessed on the Internet, lack critical updates and are vulnerable to attack.

Litchfield, managing director at UK-based NGS (Next Generation Security) Software Ltd., examined the number of Microsoft SQL Server and Oracle database servers that are on the Internet and not protected by a firewall. The report, called "The Database Exposure Survey 2007," found that about 368,000 Microsoft SQL Servers and 124,000 Oracle database servers were directly accessible on the Internet and not protected by a firewall. The survey was last conducted in 2005.

"In the author's opinion, these findings represent a significant risk," Litchfield said. "Whilst it's not possible to say how many of these systems are engaged in a commercial function, with just under half a million servers accessible there is clearly potential for external hackers and criminals to gain access to these systems and to sensitive information."

Database security: Become compliant without breaking the bank Litchfield: Database security is IT's biggest problem: Black Hat: Database security guru David Litchfield unveils 20-plus IBM Informix flaws that attackers could exploit to create malicious files, gain DBA-level privileges and access sensitive data. Podcast: Database Security: In this Security Wire Weekly podcast, database security expert Amichai Shulman explains why attackers are targeting communication protocols to gain access to critical files.

Litchfield said 66% of Oracle database servers found were running versions known to be vulnerable to critical vulnerabilities. He said 82% of SQL Servers were running SQL Server 2000 and only 46% were running Service Pack 4, the remainder running Service Pack 3a or less. DBAs are also failing to deploy hotfixes and instead are waiting for service packs for SQL Server, he said.

"It may be the case that many database administrators don't even know that their systems are accessible over the Internet," Litchfield said.

In addition, the number of SQL Server databases at risk has increased significantly since the survey was last conducted in 2005, Litchfield said. There were around 210,000 unprotected SQL Servers in 2005 and today the survey found about 368,000 at risk.

Database administrators attending Oracle OpenWorld 2007 weren't surprised by the results of the survey. Many times DBAs implement a test server and don't even realize it's available online and vulnerable to attack, said Tim Spoddard, a DBA with a Midwestern retailer.

"It's a good reminder to take a look at your systems," Spoddard said. "In this day and age you want to close off the attack vectors to avoid a breach."

Is your SQL Server data protected? Database security: Options to protect data in SQL Server Encryption and data separation in SQL Server are not easy or cheap options. Read about other tools and techniques to protect against hacker attacks. Avoid SQL injection with these best practices Avoiding SQL Server injection through validating data may be tedious, but it is usually simple and always worthwhile.

Andy Lehman, a DBA based in San Jose, Calif., said most database servers accessible on the Internet likely don't contain sensitive information. Still, they should be locked down and separated from critical systems, he said.

"If they're not updated and have critical flaws, they probably don't contain anything worth stealing," he said. "It still provides a jumping off point for an attacker."

Litchfield said database servers should be tested to make sure they can't be accessed from the Internet. Also, any external access to database servers should be controlled by a firewall to only allow connections from set IP addresses or address ranges, he said.

Tags: Database Security Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary