News

Microsoft and Docker Describe Container Security After 190,000 Accounts Exposed

Microsoft indicated that its container images hosted on Docker Hub weren't compromised by a security breach that was discovered by Docker last week.

Docker discovered on Thursday that a single Docker Hub database had been accessed by an unauthorized party, and that "approximately 190,000 accounts may have been exposed." The database contained "usernames and unhashed passwords for a small percentage of users as well as GitHub and Bitbucket tokens for Docker autobuilds."

Containers are an operating system virtualization approach used by developers to spin up applications without conflicts. An autobuild is a way of automatically building images from source code and pushing it up into a Docker repository. Docker defines an image as "an ordered collection of root filesystem changes and the corresponding execution parameters for use within a container runtime." An image serves as "the basis of containers," according to Docker.

In response to the breach, Docker revoked the tokens used for autobuilds, revoked the exposed passwords and sent out notices. However, the notices only went out to users whose passwords were exposed, and they're getting asked to make a password change. Users who had autobuilds set up will have to relink their GitHub or Bitbucket repositories, Docker indicated. Official Docker images housed on Docker Hub weren't affected by the security breach, according to the company.

The possible motivation behind the breach wasn't described. However, attackers apparently are interested in placing malicious Docker images on Docker Hub to carry out activities like cryptojacking, where machines get hijacked for bitcoin-mining operations, according to reporting by Kaspersky Lab's Threatpost.

An earlier Threatpost story had cited a January Tripwire report on container security, which found that 94 percent of IT personnel surveyed had security concerns with using containers. Fast adoption of container technology was the main reason for those increased security risks, according to 61 percent of the respondents.

Microsoft explained in its announcement that it has been transitioning Microsoft images housed on Docker Hub to "being served directly by Microsoft," an effort that started last year. Newer Microsoft images and tags are currently getting served from the Microsoft Container Registry, rather than from Docker Hub. Microsoft is recommending using its registry over Docker Hub for storing images.

To better improve security, Microsoft suggested housing images in a private registry:

Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls. For more information, see Choosing a Docker Container Registry.

Microsoft also recommends using "a cloud container build system that incorporates your companies' integrated authentication." 

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.

Featured

  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.