Basically it a fairly simple little brute force worm that will give the attacker access to the database...

But, of course you can pretty much avoid being attacked if your SQL server is inside the firewall (I hope none of you out there have your server outside... I can't find a reason why anyone would)..

Security Focus (http://online.securityfocus.com/news/429)

Microsoft Bulliten (http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp)

SANS Analysis (http://www.incidents.org/diary/diary.php?id_6)

Slashdot Article (http://slashdot.org/article.pl?sid=02/05/22/1312211&mode=thread&tid=109) [ Above links pulled from there ]

To think people still use blank 'sa' passwords, shez :)

Originally posted by Studio64
Basically it a fairly simple little brute force worm that will give the attacker access to the database...




It will get access beyond the database. SQL Server has the ability to call system dll's, which allows the worm full access to the box that has been compromised.

Another part of this problem is that SQL Server is installed "behind the scenes" as a part of some packages, so the user does not know it has been installed. Not good.

I can't believe Microsoft shipped this thing with no default password on the system administrator account. How clueless and indifferent to security can a system vendor be? :confused:

LOL. I'm a database administrator by profession. Anyone who puts up a public SQL server and leaves the sa password as null need to re-read the install guide.

OTOH, I'm usre that 90% of the MySQL servers never get the anonymous id's deleted (they get installed by default).

Frank

Originally posted by Mike the newbie
I can't believe Microsoft shipped this thing with no default password on the system administrator account. How clueless and indifferent to security can a system vendor be?

Hey, its not a Microsoft specific issue, nor does setting a "default" password on sa make any difference - worms could just test for the default.

What is a problem is the number of clueless sysadmins and the reliance of a buying public on packaged software and "setup.exe".

What doesn't get reported on are how many SQL Server sites do not have adequate backup routinues set up! LOL

Anyway I can assure you that I see plenty of ORACLE sites with default passwords just begging to be hit. And then there was VMS which had "system/manager" as a userid/password combo, well known to the world. The list goes on.

I'm no apologist for Microsoft, but in this case the real issue is in the domain of sysadmins and vars and software houses which do not appreciate security.

Originally posted by mwatkins


Hey, its not a Microsoft specific issue, nor does setting a "default" password on sa make any difference - worms could just test for the default.
...


What I meant by "default password" was for the install program to require the admin to select and use a password by default.

Yes forcing a password on install would be a good thing. But even then the issue is not confined to Microsoft. For example, every ORACLE installation has a 'default' and well known password - which, based on my experience, many sysadmins never change!

Security still remains the responsibility of the administrator - even forcing a password is no guarantee that a good password is chosen.

On the bright side, security is a good and growing area of consulting to be in. Problem becomes opportunity LOL

The big difference being that Microsoft's marketing targets their products to people who are less capable admins. Oracle's marketing does not have that focus.

Microsoft's target of less capable admins -- coupled with the egregious lack of security in their products and procedures, and the large volume of software that Microsoft sells -- requires Microsoft to be far more responsible than they have been.

Pointing the finger of blame at other companies does not absolve Microsoft of what they have done to lower the security of the internet as a whole.

And quite frankly, I am becoming tired of paying bandwidth charges for Microsoft's security lapses. :D