Half a million database servers 'have no firewall'

Stupidity said on Wednesday, 14 November 2007

Yet another stupid article.

This is the same as saying "Half a million HTTP servers have no firewalls." Did it ever occur to anyone that maybe these servers are designed to be internet based? Did you ever bother mentioning that database servers require a username and a password to get in? No you just write some stupid article feeding the paranoid lunatics who think all hell is breaking loose. The IT people know wtf their doing. Stop trying to bullshit us.

Tomy James said on Wednesday, 14 November 2007

I don't think so mate. The guy who did this research is no slouch. He is the person who was banging away about Oracle security for years - and he was proved right. Of course you can make a mistake when you extrapolate but the basic tendency is right. For every server deliberately outside the firewall I bet there are ten that are ten that the IT department doesn't know about.

BillyBob said on Wednesday, 14 November 2007

Usernames/passwords ?? Come on Stupidity (no misnomer as it happens), ever heard of buffer overflows? Leaving unpatched boxes accessible like this is an open invitation.

JustMe said on Wednesday, 14 November 2007

BillyBob, who said anything about unpatched?

BillyBob said on Wednesday, 14 November 2007

JustMe - "There was one other disturbing finding in Litchfield's 2007 survey: Many of these unprotected databases are also unpatched."

Jobsworth said on Wednesday, 14 November 2007

Who said anything about them being unpatched? Litchfield has presumably found 157 machines which have port 1433 open. Nothing more. This bears no relation to their patch status and gives no insight into any hardening other than making that port non-responsive. In isolation it may be interesting, but to use these figures,extrapolate out and suggest that half a million servers are inherently insecure is simply flawed logic. Then again, an article which reads 'I have found 157 machines which have a port open' probably wouldn't allow him to get a plug for his company into the news...

derrick and clive said on Wednesday, 14 November 2007

Even internet facing db servers providing an external service should be limited - at the very least by the src ip addresses that can connect to them.

Stooshie said on Wednesday, 14 November 2007

[quote]The security researcher wasn't sure why Oracle's numbers had declined while Microsoft's had risen[/quote]

Because the random IP addresses hit more users with windows than with any other system(i.e. home users) and more home users have become aware of the need to switch the firewall on.

Also the conclusion that an IP address with, say, the oracle port open, is a database server is wrong. It could just be a home user with no firewall. Yes, a security rosk for that user, but not the same as a database being open to the web.

Jobsworth said on Wednesday, 14 November 2007

derrick and clive - I agree, and it's certainly true that there will be many organisations which don't follow this practice...the problem is this research does little or nothing to prove or disprove this theory. the article above refers to 'exposing corporate data', yet theres really nothing in this article to suggest that these IPs (randomly generated remember) belonged to organisations rather than, say, a home user. Theres a strong suggestion that merely getting an acknowledgement on the given port was proof conclusive of an exposed corporate database - thats a bit of a leap.

Jobsworth said on Wednesday, 14 November 2007

As if to prove my point... Look on the right panel at the TechWorld news - "Half a million databases are wide open to all " - same story with a marginally more absurd headline, thats like saying that my bank account is wide open to all because my bank has branches. visible!=vulnerable The articles also suggest that an open port is the same as a bona fide corporate SQL server, which is more akin to suggesting I am a multinational company which does all its banking with Lloyds because I can draw a horse.

Branedy said on Wednesday, 14 November 2007

How many of the open ports were honeypots?

Tomy James said on Wednesday, 14 November 2007

Interesting question, but we all know it will be a tiny handful. Most are the result of stupidity.

Andy said on Wednesday, 14 November 2007

So let's all ignore MySQL database servers, they are not real enough are they?

loquin said on Wednesday, 14 November 2007

JustMe/Jobsworth - Unpatched: look at page two of the article...

Whatever said on Wednesday, 14 November 2007

Patched/Unpatched, he found 6 SQL servers that were unpatched out of a million IP addresses, not sure that qualifies as "many". How many of those were unpatched because they weren't actually being used for more than "install and poke around"? Don't know but this is the same "researcher" that writes exploits then publishes them and then when someone runs it he claims he predicted it. Why this guy isn't in prison is beyond me.

Here is a business plan:
Stage 1 - Find an exploit and publish step by step instructions. Wait for someone to try this out then print out business cards that say "Security Consultant" and offer to patch systems that you caused the problem on.

Stage 3 Profit!

Shaun said on Wednesday, 14 November 2007

Poor security - these are probably 'loser' organizations that probably don't even understand the need to backup their databases, or they are databases that have 0 records, just default installations.

Michael said on Wednesday, 14 November 2007

This is article is pointless. Presuming that because a database exists, that it means there's meaningful data at risk is irrational. How many unfirewalled Excel spreadsheets are on the Internet? I submit that 499,990 of the half million databases at risk have no meaningful purpose (or data). Databases are just that easy to spin up.

Remember the slammer worm? said on Thursday, 15 November 2007

SQL slammer was one very powerful worm (when was that, 2001?), and it just used the MS-SQL monitoring service. Just imagine if it actually targeted and harvested data in the database.

Whitehat said on Thursday, 15 November 2007

I would have to wonder how many of those open ports were really SQL servers and not just honey pots. Pretending to be a lame duck and seeing who nibbles is an incredibly effective way of finding and distracting hackers long enough to ensure they don't actually do any damage. I wonder how many alarms this guy tripped while doing his "research"

Buzzy said on Thursday, 15 November 2007

I have to ask those of you pooh-poohing this finding: what would be the business purpose of having a DBMS exposed on the internet in the first place? Does it just mean you're too cheap to put your DBMS in a DMZ behind your HTTP-based front end? I can't think of any legitimate use case that requires the native DBMS port to be exposed. If you can afford an Oracle or SQL server license, you can afford the hardware to properly secure them.

On the other hand, maybe this is a measure of the level of piracy of these two DBMS's...

SecurityGuy said on Thursday, 15 November 2007

To educate the masses, if there's an open port on an IP, it means there is a piece of software listening on that port. If no software was listening, the port would be closed, and he would not have made a connection.

They might be PCs with MS SQL EE or Oracle XE (which are free to dl). Some people like to learn on their own, developers may have dev dbs on home PCs, or some users install stuff for no good reason.

Despite this, I work as an Internet Security Consultant, and I would expect that a most of the IPs referenced by this article are actually running production db's.

Businesses make poor decisions, either due to a lack of knowledge or due to "business" reasons, i.e. not wanting to spend money; both are unforgivable mistakes. If some businesses are doing nothing to protect their data by exposing their database to the Internet, then the headline is not alarmist enough.

Makes you wonder who has your data in their db, and if they have one of those IPs?

aim said on Thursday, 15 November 2007

Businessmen will only care about data security if it costs them money. If they ignore their current situation, it is likely that even if data gets stolen, no-one will call them out on it, and there will be no penalty (if the theft is even noticed).

When there is legal redress to sue companies for large amounts of dosh if they fail to keep personal data secure things might change. The charge of Reckless Data Abuse is a prerequisite to even starting to solve the current security nightmare all competant and experienced IT staff know exists (regardless of what anyone thinks of the methodology used for this particular exercise).

Jobsworth said on Thursday, 15 November 2007

Interesting that someone mentioned SQL Slammer. Guess who wrote the code for that? And then was oh-so-surprised that it was 'abused'...how fortuitous that mere months earlier he had started a new company offering security consultancy services.

Frederico said on Thursday, 15 November 2007

This article is recomended reading for any IT Security class!

Please send comments on the article to your teacher, so that they are aware of it.

James said on Friday, 16 November 2007

They are not hard numbers but scary all the same. We got hit by the slammer on our internal network when a rogue consultant with his personal laptop infected our internal network. We no have a DHCP MAC address jail where if your MAC is not on file in the database you don't get a normal IP address and are jailed to the Internet only. They are provided a web page where they can request access and if a security audit passes then the computer is given a new IP address. The software checks for hardware make/model, and other company identifiers to allow them on the network. This prevents unauthorized computers on our internal corporate network; ie.. personal laptops, PDA's, and cell phones. It's setup for the wireless and the ethernet networks.