Meetup — It's Raining Creds: Crawling DockerHub for Leaked Secrets at Scale
Details
⚠️⚠️ To attend, please also fill up the following registration form: https://forms.gle/fWfy4tmHYo7dPuoXA ⚠️⚠️
AGENDA
- 6.30pm: Registration & Networking (30mins)
- 7.00pm: Introduction & Announcement (15mins)
- 7.15pm: "It's Raining Creds: Crawling DockerHub for Leaked Secrets at Scale" by Aliz Hammond
- Till Late: Networking, and Searching through Aliz Hammond's Creds Treasure Trove
IT'S TRAINING CRED: CRAWLING DOCKERHUB FOR LEAKED SECRETS AT SCALE
It is common knowledge amongst red-teamers that private Docker container registries are often filled to the brim with interesting secrets. We wondered just how many secrets we could find if we took a good look at the publicly-accessible containers on the DockerHub site, and so built a system capable of crawling these images, extracting files, archiving them, and finally scanning them for interesting secrets. In total, we downloaded over 20,000 containers and found credentials for everything imaginable — Terraform, AWS, and even cryptowallets were in our haul of over a million secrets. In this talk, Aliz Hammon will speak about how we managed to scale the system to this extent, and what problems we encountered, before giving a taste of the things we found. Additionally, Aliz will be bringing along the dataset, so if there are any interesting queries for secrets they haven't looked for yet, they will be accepting suggestions from the audience.
Those who simply can't wait for the talk can have a quick read of the four-part blogpost about the research on the watchTowr blog (https://labs.watchtowr.com/i-dont-need-no-zero-dayz-part-1-docker-containers/) — although obviously the talk will be much more fun than just reading the post!
BIO
Aliz Hammond (they/them) is a security researcher at watchTowr labs, where they spend most of their time finding juicy 0-day bugs in various applications and blogging about the gory details. A firm believer in the power of knowledge-sharing and community, Aliz has spoken at various conferences both local and international, usually sharing highly technical and detailed content ranging from low-level Windows kernel internals to high-level system design. Aliz has a long background in infosec, mostly with binary-level fuzzing and exploitation, with their first published CVE back in 2014.
IMPORTANT NOTICES
- Code of Conduct: https://www.div0.sg/code-of-conduct
- Terms of Use & Disclaimer Notice: https://www.div0.sg/terms-of-use-disclaimer-notice
