Posted Thursday 15th November 2007 19:45 GMT
Good stuff then. A sample based on someone attempting to connect to a resource without authorisation? That's probably a very very grey area.
Then we'll just take the number and do some multipliers. Yeah, that's a conclusive survey.
Posted Thursday 15th November 2007 22:21 GMT
Of course someone using SQL Server would not care about security. They're using *Windows*!!!! There are a lot of people that don't care about security, or can't be bothered with it. Problem is, some of them are IT managers.
IIRC, back in 2005 we installed a VPN infrastructure for a medium-sized company. The software provider then complained that the VPN traffic was slower than going over the normal internet; somehow they thought VPN's *increase* bandwidth. So they opened up the SQL Server listening port for the public IP.
Oh, and no SSL. Anyone snooping around would get full, unencrypted traffic for the *entire* company's operation. Despite having a VPN installed.
Hey, might as well post that in the daily WTF site as well!!!
Posted Thursday 15th November 2007 22:21 GMT
Likely, what they are recording is MS sql instances that support Office Small business version or other type MSDE running on home workstations.
Posted Thursday 15th November 2007 22:21 GMT
"There are approximately 368,000 Microsoft SQl Servers... and about 124,000 Oracle database servers directly accessible on the Internet"
Any DBA worth his salt KNOWS how to secure a SQL server without a firewall. Its not like 'sa' was left with a blank password and remote access enabled on these, its just an open port.
One of our DB servers has port 1433 open to the WAN (it was that or a site to site VPN), it is perfectly secure. Even if it wasn't a complete muppet could secure a default SQL Server install.
But get this! I've found literally millions of servers with port 80 open to the WAN! I gather it's used for an rather obscure protocol called HTTP.
If I take a random sample of 1000 HTTP and SQL servers, I'll bet I'd get more webservers I could break into than SQL Servers (simply because there are many more attack vectors for HTTP, insecure scripts etc). This article draws attentions to absolutely fuck all.
David Litchfield is a respected security researcher, I don't know why he see's this as such a big issue, that is, unless he's sitting on a 0day remote SQL server exploit, but I won't hold my breath.
Posted Thursday 15th November 2007 22:21 GMT
5'll get ya 10 a least a quarter of those hits were honey pots.
Posted Thursday 15th November 2007 22:21 GMT
If you've got a problem with the idea that a random sample might represent an accurate cross section of a population, then you have to reject every single statistic ever created.
If the IPs really were chosen at random, then it would be easy to determine how accurate the extrapolations to the entire population are, based on the proportion that were sampled. Admittedly these statistics don't have any information about error margins and things like that, but there is no reason to assume that they are complere 'rubbish.'
Statistics isn't a field entirely filled with lies - a large amount of legitimate science goes into these things. The problem, then, is that things can get complicated, so stats tend to lend themselves to manipulation. But you have to ask yourself, what does this NGS place really stand to gain by altering the stats?
And on the grey area thing... So many port scans and connection attemps hit an unprotected internet host per second that this survey would be lost to the general chaos of the system. It isn't like one more connection attempt will bother anyone that can't firewall a service properly.
What I want to know is what scanning software did they use... nmap would not have had a lot of fun with that many targets.
Posted Thursday 15th November 2007 22:32 GMT
"Another interesting revelation was that those running vulnerable versions of Oracle were evenly divided between Windows and Linux/Solaris - suggesting Windows installations are no worse at security than those using other operating systems."
This, of course, ignores that fact that Windows is itself far more vulnerable to unauthorized access.
The conclusion is no more sensible than the anecdotal reporter who allegedly asked Mrs. Lincoln, "Apart from that, how did you enjoy the play?"
Putting a vulnerable installation of Oracle onto a secure OS produces a single point of attack - not desirable, but much easier to fix than putting a vulnerable version of Oracle onto an unsecure (and probably unsecurable) Windows platform.
Posted Friday 16th November 2007 08:47 GMT
If you read the first paragraph the security of the OSes/Database servers isn't the point of the article it is to do with open ports on firewalls!
Posted Friday 16th November 2007 10:43 GMT
Look out for a study soon showing that millions of companys have left their HTTP ports open.
Posted Friday 16th November 2007 12:26 GMT
It ought not to be, in fact later versions will even you force you to jump through hoops to make this happen during an install.
Still, it's by far the most common Admin login tuple I've come across on SQL server installs. Including some really big uns.
Posted Friday 16th November 2007 12:26 GMT
"This article draws attentions to absolutely fuck all."
Even taking into account the slightly dubious nature of the extrapolated numbers in the report, it still highlights a real security issue - I find myself completely astonished at you guys dismissive attitudes.
You must either have real short memories, or just have your heads in the sand - have you completely forgotten about the SQL Slammer worm and what havoc that wreaked...?
Posted Friday 16th November 2007 13:18 GMT
Port scanning without permission is prosecutable under the Computer Misuse Act regardless of how well-intended their 'survey' is. Next time I think about hacking I'll be sure to release some statistics to cover my arse!
Posted Friday 16th November 2007 13:23 GMT
I was wondering if I was the only one that remembered (or would admit to remembering) SQL Slammer. Good to see I'm not.
Wrt statistics+extrapolation: actually this is one of the better uses of extrapolation you'll find. Typically a pollster takes a tiny sample and then extrapolates up to the whole population. What they don't tell you is that their tiny sample has to be "adjusted" for bias and (un)representativeness, but in order to do that adjustment they *have to* know exactly how (un)representative and biased their small sample is. Which they can't, because they've never asked a truly significant proportion of the whole population.
So the pollsters take a wild guess at how well their sample represents the whole population, and hope no one notices or cares. It's mostly worked so far, or at least they've kept it quiet so far?
In the case of a small population of IP addresses vs the global population; yes I'm sure there may be some bias in there, but it'll likely be a lot less bias than in (say) a political opinion poll, where you have to "correct" for sampling errors but you can only meaningfully do that if you know how the broader population is thinking.
Back to the article