There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield.
Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database.
He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: "There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet," he wrote in his report, due to be made public next week.
This is not the first time that Litchfield, managing director of NGSSoftware, has conducted this type of research. Two years ago, he released his first Database Exposure Survey, estimating that there were about 350,000 Microsoft and Oracle databases exposed.
This 2007 version of the Database Exposure Survey is set to be published Monday on Litchfield's Databasesecurity.com Web site. IDG News was given a preliminary copy of the findings.
With no firewall, databases are exposed to hackers, putting corporate data at risk. Litchfield said that, given the amount of press generated by corporate data breaches over the past two years, it's amazing to find that there are more databases exposed than ever before.
"It's terrible," he said in an interview. "We all run around like headless chickens following these data breach headlines... organisations out there really don't care. Why are all these sites hanging out there without the protection of a firewall?"
This year's Oracle tally is actually down from Litchfield's 2005 estimate, which counted 140,000 Oracle systems. That same study placed the SQL server total at 210,000.