Half Million Databases Not Firewalled

Longtime Security Researcher David Litchfield surveyed a swath of the internet as a sample, then applied some calculations and concluded that there are as many as 500K SQL and Oracle servers exposed to the internet without any firewalls or access list protections.

And we wonder why we read about major department stores losing everyone’s personal information. From Computerworld here:

There are nearly half a million database servers exposed on the Internet, without firewall protection according to UK-based security researcher David Litchfield.

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle’s database.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: “There are approximately 368,000 Microsoft SQl Servers… and about 124,000 Oracle database servers directly accessible on the Internet,” he wrote in his report, due to be made public next week.

With no firewall, databases are exposed to hackers, putting corporate data at risk.

“It’s terrible,” he said in an interview. “We all run around like headless chickens following these data breach headlines… organizations out there really don’t care. Why are all these sites hanging out there without the protection of a firewall?”

And he goes on to say that many of them are not even patched.