News

Microsoft, Docker Tout Security Measures After Breach

• By Kurt Mackie
• 04/30/2019

A security breach that was discovered by Docker last week did not compromise Microsoft container images hosted on Docker Hub, Microsoft said recently.

Docker discovered on Thursday that "approximately 190,000 accounts may have been exposed" when a single Docker Hub database was accessed by an unauthorized party. The database contained "usernames and unhashed passwords for a small percentage of users as well as GitHub and Bitbucket tokens for Docker autobuilds."

Containers are an operating system virtualization approach used by developers to spin up applications without conflicts. An autobuild is a way of automatically building images from source code and pushing it up into a Docker repository. Docker defines an image as "an ordered collection of root filesystem changes and the corresponding execution parameters for use within a container runtime." An image serves as "the basis of containers," according to Docker.

In response to the breach, Docker revoked the tokens used for autobuilds, revoked the exposed passwords and sent out notices. However, the notices only went out to users whose passwords were exposed, and they're getting asked to make a password change. Users who had autobuilds set up will have to relink their GitHub or Bitbucket repositories, Docker indicated. Official Docker images housed on Docker Hub weren't affected by the security breach, according to the company.

The possible motivation behind the breach wasn't described. However, attackers apparently are interested in placing malicious Docker images on Docker Hub to carry out activities like cryptojacking, where machines get hijacked for bitcoin-mining operations, according to reporting by Kaspersky Lab's Threatpost.

An earlier Threatpost story had cited a January Tripwire report on container security, which found that 94 percent of IT personnel surveyed had security concerns with using containers. Fast adoption of container technology was the main reason for those increased security risks, according to 61 percent of the respondents.

Microsoft explained in its announcement that it has been transitioning Microsoft images housed on Docker Hub to "being served directly by Microsoft," an effort that started last year. Newer Microsoft images and tags are currently getting served from the Microsoft Container Registry, rather than from Docker Hub. Microsoft is recommending using its registry over Docker Hub for storing images.

To better improve security, Microsoft suggested housing images in a private registry:

Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls. For more information, see Choosing a Docker Container Registry.

Microsoft also recommends using "a cloud container build system that incorporates your companies' integrated authentication."