Microsoft and Docker Describe Container Security After 190,000 Accounts Exposed
Microsoft indicated that its container images hosted on Docker Hub weren't compromised by a security breach that was discovered by Docker last week.
Docker discovered on Thursday that a single Docker Hub database had been accessed by an unauthorized party, and that "approximately 190,000 accounts may have been exposed." The database contained "usernames and unhashed passwords for a small percentage of users as well as GitHub and Bitbucket tokens for Docker autobuilds."
Containers are an operating system virtualization approach used by developers to spin up applications without conflicts. An autobuild is a way of automatically building images from source code and pushing it up into a Docker repository. Docker defines an image as "an ordered collection of root filesystem changes and the corresponding execution parameters for use within a container runtime." An image serves as "the basis of containers," according to Docker.
In response to the breach, Docker revoked the tokens used for autobuilds, revoked the exposed passwords and sent out notices. However, the notices only went out to users whose passwords were exposed, and they're getting asked to make a password change. Users who had autobuilds set up will have to relink their GitHub or Bitbucket repositories, Docker indicated. Official Docker images housed on Docker Hub weren't affected by the security breach, according to the company.
The possible motivation behind the breach wasn't described. However, attackers apparently are interested in placing malicious Docker images on Docker Hub to carry out activities like cryptojacking, where machines get hijacked for bitcoin-mining operations, according to reporting by Kaspersky Lab's Threatpost.
An earlier Threatpost story had cited a January Tripwire report on container security, which found that 94 percent of IT personnel surveyed had security concerns with using containers. Fast adoption of container technology was the main reason for those increased security risks, according to 61 percent of the respondents.
Microsoft explained in its announcement that it has been transitioning Microsoft images housed on Docker Hub to "being served directly by Microsoft," an effort that started last year. Newer Microsoft images and tags are currently getting served from the Microsoft Container Registry, rather than from Docker Hub. Microsoft is recommending using its registry over Docker Hub for storing images.
To better improve security, Microsoft suggested housing images in a private registry:
Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls. For more information, see Choosing a Docker Container Registry.
Microsoft also recommends using "a cloud container build system that incorporates your companies' integrated authentication."
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.