A Week Later, Docker Offers Scant Details on Hub Attack
Citing an ongoing investigation, Docker provided few details at its annual DockerCon user conference about the attack last week on Docker Hub that led to the exposure of 190,000 user accounts — and this lack of initial transparency has some users worried.
The first official mention of the breach at DockerCon came on the second day of keynotes. Docker Chief Technology Officer Kal De, as part of a presentation about new technologies the company is testing.
“We will do the best we possibly can to be respectful of the fact that we value your trust immensely, and for that, we must, as a company, and we will, take security very very seriously and will stay laser-focused on it. I just want to make that very clear that it is something in the forefront of our minds,” De told the crowd.
The company, however, has thus far offered scant needed details about the attack, other than providing a Frequently Asked Questions page on the Docker Success portal, which the company has pledged to update frequently. But there has been no word on how long the attackers had entry into the system, how the attack affected other Docker systems, or what software (either Docker’s own or third-party software) or processes were compromised in the attack. Nor was there any promises for changes that could be made fairly immediately, such as the addition of two-factor authentication (2FA), which has been suggested could have further limited the potential damages from attacks like these.
At a DockerCon press conference on Wednesday, Docker CEO and Chairman Steve Singh briefly discussed the process that Docker is taking to understand what had happened. The company has a protocol for investigating breaches, which it is following. The process is similar to the playbook Singh used at his previous company, expense management service provider Concur. Docker has retained the services of third-party forensics investigators, Singh admitted, answering a question from eWeek reporter Sean Kerner.
Citing this ongoing investigation, Singh declined to answer questions from The New Stack around how long the invaders had access to Docker Hub, or if any additional systems were compromised. He emphasized that the company alerted affected users as soon as the breach was found, and has disclosed everything that it is possible to reveal at the time.
“There are bad actors in the world. And they do things we just have to contend with,” Singh said. He brought up the subject of preparing for “supply-chain attacks,” an apparent trend of late in which attackers have been focused on embedding malicious code in infrastructure software upstream that could be used to hijack an organization’s operations. Supply chain companies need to investigate a “security-by-design” approach to prevent this from happening, he said, adding that “This is an opportunity for us to say ‘Let’s own that problem.'”
Overall, the scope of the Docker Hub was “very small,” Singh asserted. “We responded as quickly as we could, and notified our users as soon as we understood the breach and who was impacted.”
Potentially Impactful
At least one security professional has taken a different view.
“We don’t know enough. It could potentially be highly impactful. It could have a lot of ramifications for the world at large,” said Twistlock CEO John Morello, in an interview for an upcoming TNS Makers podcast. As others have noted, an attacker could use the exposed GitHub and BitBucket credentials to poison entire repositories of privately-maintained software in those repositories. If the attackers were smart and strategic about what they were doing, they could “could potentially impact a lot of businesses,” he said.
Re-upping: what started as a Docker issue is now (also) a GitHub issue, *even if your org does not use Docker*. If any one of your developers used Docker with GitHub integration (even for a single, unrelated personal project) _your_ private repos were potentially exposed. pic.twitter.com/GnFfrhq43w
— Kenn White (@kennwhite) April 27, 2019
“Docker Hub was not the target. It was only the conduit,” he said. “If you knew organization X was using Docker Hub and you wanted to penetrate that org, then Docker Hub would be the way to do that.”
This is why having a complete timeline of when the attackers first gained entry would be so important for Docker Hub users, Morello said. With a definite timeline — saying the attack happened 30 days ago, or three months ago — a security admin could check back through the logs for suspicious activity in that timeframe. Without a definite range of when the attacks could have happened, “It’s very hard for people to go back and figure out what is genuine and what might be suspicious,” he said.
Typically, cloud service providers such as Amazon Web Services and Microsoft Azure post detailed “postmortem” reports on their outages and disruptions, detailing with great specificity exactly went wrong, and often the steps being taken to prevent similar mishaps from happening again. These exhaustive reports, however, can take some time to compile.
Not helping matters any is Docker’s reluctance to add in 2FA authentication, which would require another form of identification, such as fingerprint or a telephone-relayed passcode, that would have been required in addition to the compromised DockerHub passwords. Even small credit unions have the technical talent to implement 2FA, he said, so it shouldn’t be an issue for Docker.
“If I ran Docker Hub that would be my top priority,” Morello said.
Docker Hub Maintenance
There appears to be work underway on Docker Hub, perhaps to repair the holes that the attackers used to gain entry. The company alerted users Friday that is “performing scheduled maintenance,” from approximately 9 a.m. to 7:15 p.m., U.S. Pacific Daylight Time.
“During this window, Docker Hub will be operating in a read-only mode. Registry logins and image pulls will continue to work for a majority of this time frame. Pushes however will generally be unavailable,” the company alerted users in an e-mail.
TNS publisher Alex Williams contributed to this story.
Twistlock is a sponsor of The New Stack. Docker paid for the reporter’s travel to attend DockerCon.
Feature image: Docker Chief Technology Officer Kal De, at DockerCon 2019.
