The CyberWire Daily Podcast 12.8.21
Ep 1474 | 12.8.21

AWS resolves service issues. A summit stand-off. Dark web chatter, and arbitrage courts in the C2C world. Looking for stolen or lost alt-coin.


Dave Bittner: Amazon resolves its Tuesday outage as observers wonder about cloud risks. A standoff at the Russo-American summit. A look at the arbitrage process that governs the criminal-to-criminal market. Carole Theriault reads the fine print. Andrea Little Limbago looks at global regulatory regimes. A DeFi platform asks for its stolen money back. And a guy looks for his private key in a physical garbage dump.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 8, 2021. 

Dave Bittner: Amazon Web Services says it's back after an outage yesterday afternoon that centered on the U.S. East Coast and had geographically wide-ranging effects. Media coverage focused on disruptions to package deliveries, the interruption of online entertainment channels and the unavailability of various home IoT and media devices, like Alexa and Ring security systems. But the outage was striking in the extent to which it disrupted cloud services that businesses and agencies have come to depend upon. 

Dave Bittner: At 9:37 a.m. Pacific Standard Time, Amazon first reported impact to multiple AWS APIs in the US-EAST-1 Region and said the issue was also affecting some monitoring and incident response capabilities. The first notice said, we have identified the root cause and are actively working towards recovery. Users had been reporting outages for some time before Amazon's announcement. The AP tweeted the story about half an hour before Amazon's first disclosure. "Breaking," the wire services said, "users say Amazon Web Services is suffering a major outage. The company provides cloud computing services to individuals, universities, governments and companies, including The Associated Press. Amazon has yet to comment on the outage, and few details are available," end quote. 

Dave Bittner: Amazon provided brief updates throughout the day. At 4:35 p.m. Pacific Standard Time, AWS reported the issue resolved, about eight hours after disruptions began to be reported. Their final update read, quote, "with the network device issues resolved, we are now working towards recovery of any impaired services. We will provide additional updates for impaired services within the appropriate entry in the Service Health Dashboard," end quote. 

Dave Bittner: Quartz argues that the incident, which was by all accounts an accidental outage and not the result of an attack, shows how dependent commerce, the IoT and the cloud have become on AWS. We heard from the SANS Institute while the incident was in progress. Ed Skoudis, president of the SANS Technology Institute, wrote, quote, "this is yet another glimpse of how interconnected our services have become, with the immense complexity of cloud deployments impacting large numbers of enterprises and consumers. Cloud services are generally well-run and suffer fewer outages than individual organizations' networks. That said, when there's a bump in the night for a cloud provider, it impacts a huge number of users and often in unexpected ways. We seem to be getting hit with these kinds of outages every month or two, and that's disheartening. So far, the vast majority of them are from operational errors, misconfigurations or bad software updates and not a cyberattack," end quote. 

Dave Bittner: His colleague, John Pescatore, director of Emerging Security Trends at the SANS Technology Institute, sees a risky monoculture and advises organizations to look for redundancy and reserve capability. Quote, "outages like this one and earlier ones at AWS happen regularly across cloud service providers, and most commonly are due to self-inflicted wounds. A cloud service-level agreement of 99% uptime still allows almost eight hours per month of downtime. Businesses need to invest in redundant or backup capabilities or pay for higher levels of guaranteed availability to preserve critical business services when running in the cloud. Larger businesses also need to look at their suppliers and see if they are subject to concentration risk. Too high a percentage of suppliers on one cloud service and even a short outage can be disastrous to business," end quote. 

Dave Bittner: Reports from yesterday's Russo-U.S. summit indicate that both sides held their lines. Bloomberg quotes Russian sources as calling the tone "frank and businesslike." President Putin demanded an end to U.S. activity Russia regards as threatening. President Biden warned that Russian invasion of Ukraine would draw severe economic sanctions, and additional military aid to Kiev. 

Dave Bittner: Reuters reports that Russian sources say the two Presidents committed to further talks and emphasized that Russia's principal interest lies in obtaining assurances that NATO won't deploy offensive strike weapons in the Near Abroad. 

Dave Bittner: The reports all suggest that the prospect of more widespread fighting in Ukraine was the principal focus of discussion, but it’s important to remember that cyber operations now precede, accompany and follow kinetic fighting. 

Dave Bittner: Researchers at Trustwave's SpiderLabs have been reading the chatter in Russophone criminal circles, and they see signs of unease. Recent high-profile enforcement actions have put them on guard, and many posts suggest that a sense of being protected by the Russian government may be eroding. 

Dave Bittner: Some of the posts show a good mastery of the paranoid style, like this one - quote, "Incidentally, there are the recent secret negotiations on cybercrime between the Russian Federation and the United States," end quote. 

Dave Bittner: There are other laments that suggest a sense that their world, too, may pass away. Quote, "In politics, individuals often become a bargaining chip - from ancient Rome. There are no guarantees that Article 272 of the Criminal Code of the Russian Federation will never be applied because of the criminal operations to those who work in the U.S. And yes, Putin is not eternal. Who will replace and what will be the foreign policy agreements, relations, and the internal accents in law enforcement practice, no one knows," end quote. 

Dave Bittner: Indeed, who does know? Although Mr. Putin and his legacy don’t seem to be going anywhere soon. 

Dave Bittner: In any case, Trustwave thinks that, however unstable the ground under their feet may now be feeling, the cyber gangs are likely to stay put, in a geographical sense. They know their home turf, having survived there so far, and are likely to feel safer in an arguably friendlier and perhaps more corruptible environment than they might encounter elsewhere. But the gangs are getting wary, and that’s probably on balance a good thing. 

Dave Bittner: Researchers at Analyst 1 have found that the cyber underground has its own courts - forums for resolving disputes among criminals. The process is generally referred to as arbitrage, and the plaintiffs typically ask for compensation ranging from hundreds to thousands of U.S. dollars. 

Dave Bittner: Most criminal communities - and these are most usefully defined by the languages in which they conduct their C2C business - has its arbitrage process. Analyst 1 explains how it works - quote, "To initiate the process, the accuser must open a thread in a dedicated sub-forum that usually has the title Court or Arbitrage and provide the following details - a brief of the claim, the nickname of the defendant, including the link to his profile, and the defendant's contact information from Telegram, Jabber or email address." 

Dave Bittner: The process doesn’t preclude direct action by an aggrieved party. If they’re angry enough, they’ll retaliate, usually by posting full, identifying details about their adversary in a place where the authorities can find it, and where other criminals will know that the hood who’s failed to deliver or otherwise cheated a colleague is someone to avoid. 

Dave Bittner: Vice reports that BadgerDAO, which last week lost about $119 million to criminals who rifled its decentralized finance - that’s DeFi, platform - has asked the crooks to please return what they stole. 

Dave Bittner: Vice quotes BadgerDAO as saying to the unknown crooks, quote, "You have taken funds that do not belong to you, but we are willing to work with you and compensate you for identifying this vulnerability in the systems. We are providing you with a direct line of communication to discuss a peaceful resolution without involving any outside parties. Contact us to discuss further and do the right thing on behalf of the community," end quote. 

Dave Bittner: So the hope would be that they’d be able to cut their losses and turn the episode into a kind of bug bounty payout. And what would be in it for the criminals? If they’re not hardened crooks, but perhaps hackers in it for the lulz (ph), it might offer them a way of climbing down from an uncomfortable perch. Or it might be a way for actual criminals to maybe limit their legal exposure, if they’re feeling the hot breath of the law on their neck. 

Dave Bittner: And hey, everybody, the New Yorker says this guy in Wales has been rooting through dumps looking for an old gaming hard drive he tossed out after he spilled juice on it, forgetting that same said drive held the private key for some early Bitcoin mining he’d done back in the day when mining was young and relatively cheap, more a matter for hobbyists than for speculators. It would be worth, well, a whole lot, he thinks, if he could find his way back into that wallet. 

Dave Bittner: The New Yorker’s headline says there’s maybe half a billion bucks in that dump. We are all familiar with the standard routine when faced with pages and pages of fine print. For most of us, just click agree and be done with it. Our U.K. correspondent Carole Theriault says, not so fast. 

Carole Theriault: OK, so analogy time. To drive home the point about privacy, I want us to think about dating. Like, when you go out on a date, one obviously puts their best foot forward. And it makes sense that someone wouldn't want to lead with something that they are insecure about - say, a behavior or attribute. You might focus on your winning personality instead of your paunch, your beautiful eyes and not your crooked front tooth. And these are lies, but they are characteristics that you have highlighted as your most attractive points, the things that might get someone to do a double-take in the gym or supermarket or swipe right on a dating app. And I'm comparing this to how companies behave. 

Carole Theriault: In the same way that someone wants to date to you, companies want to secure your business. There's this idea in the business world of a unique selling point, or USP, and it basically refers to what a company wants to shout loudest about or what's better than the main competitor out there. Could the company have a complete deal-breaker hidden in their closet that if you knew about, you would be looking the other way? Sure. And that's why they're going to keep it hidden until they secure your business. 

Carole Theriault: So, for example, if your service has a longer lag time when performing a task, the website might crow about how it's cheaper than the competitor. Or if your device design is not the best, you might focused on the neat configuration options you've added to stand apart from the crowd. If you provided a streaming service, you might talk about the sheer amount of content available, not the fact that you are hoovering up millions of data points about the viewer for increased ad revenue generation. You get my drift. They shout about the good; they hide the not so good, all in the aim of securing your business. And you might find out about a potential deal-breaker, but like in the dating world, it sometimes will be too late because you've already committed, or it's just too difficult to extricate yourself. 

Carole Theriault: And this, my dear listeners, is why you look at the terms and conditions, the legalese. This is where they can reveal a few things about how they operate that you might be fine with or really not fine with. The thing is, in the legalese, the statements they make are legally tenable. I cannot think of a company that leads with how they process your data for their benefit, but they have to tell you about it in the legal statements. So before you download an app or purchase a smart device or online service, check the terms and conditions and the privacy statements. And when they get updated, review these changes. I promise it's worth it. You might find out that some companies are completely above board. But you might also find out that some are scraping the barrel. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is Andrea Little Limbago. She is vice president of research and analysis at Interos. Andrea, it's always great to have you back. I wanted to touch today on things that you're tracking when it comes to the regulatory situation globally. I mean, what are we seeing in terms of trends there? 

Andrea Little Limbago: Yeah, there are a lot, to be honest. And so we often think about how technology advances, you know, exponentially and so forth, but policy lags well behind. And it has. We've seen that. Policy is really trying to catch up right now. And that's - we've seen it over the last couple of years, and it really - just expanding in a significant amount as well. And so what we've seen, you know, in the last couple of years, you know, GDPR on the privacy side really has kicked off a lot of big focus and impetus towards focusing on privacy. And that's had a lot of global repercussions. Both - you know, Brazil's had a similar law that was passed. California - again, they mirror. They're not identical, but they mirror, and they will lean and learn from each other. 

Dave Bittner: Yeah. 

Andrea Little Limbago: But, I mean, most recently in the U.S., you know, Colorado - Virginia passed one this year. So we're seeing a lot in that regard, even to the point - an interesting component for that is that China's data privacy law just came into effect on November 1. 

Dave Bittner: Right. 

Andrea Little Limbago: And that also actually borrows a decent amount from the GDPR, which may surprise a lot of people. But it is - it's part of their broader focus on reining in the tech companies as well. And so it takes aspects such as data minimization and transparency, data transfer requirements and so forth. And so it does actually somewhat - you can read. It sounds somewhat similar to the GDPR as far as mirroring it. But the core aspect of that one that the other privacy laws don't have is it still enables tons of access to the data by the government. So it basically still is - you know, government can still do what they want to do with the data, have access upon asking for it, complements their other cybersecurity and data protection or data security laws have come into play in the last few years as well. So that's a very big distinction (laughter). 

Dave Bittner: Privacy in air quotes, right? 

Andrea Little Limbago: Yeah. 

Dave Bittner: With the Chinese. 

Andrea Little Limbago: But it is interesting, because they are reining in Big Tech in a very different way than what we're seeing in the U.S. and in Europe. 

Dave Bittner: In general, you know, we've had GDPR active for a while now. How are people looking at it? Is it generally considered to be a success? Is there more to be done? Or are people disappointed it hasn't done more? Where have we landed with that? 

Andrea Little Limbago: I think all of the above (laughter) is where people have landed. 

Dave Bittner: (Laughter) OK - depends on who you ask. 

Andrea Little Limbago: It depends on who you ask. Lawyers will have a lot of issues because some of it wasn't, you know, detailed enough. In some cases - now, it became apparent that the legal infrastructure for actually seeing a lot of the cases wasn't necessarily in place when GDPR came into effect. So there've been a lot of learnings in that regard. Where I'd argue, you know, it's been a huge success is really just in promoting the notion of data privacy for individual data privacy rights. And so if we were to focus on that as a metric, I think it has been a huge success as far as basically empowering and influencing other forms of similar regulations across the globe. 

Andrea Little Limbago: It also does counter what we're seeing a lot as far as, you know, more government access to data. It's basically the counterweight to that, which is desperately needed. So I think in that regard, it's also been a success. But there's a lot, I think, more that needs to be done. You know, a lot of lessons have been learned, and that's where I think it's actually really interesting where you start seeing how, you know, Brazil or how these different states in the U.S., how some of the, you know, countries across Africa actually are also - you know, about 100 different - or not 100 different - about 50% of the countries have now enacted a - some level of data privacy law there, and much of it influenced by what's going on in the GDPR. So it's interesting seeing how different countries are starting to implement aspects of it, which I also think can help, you know, inform the GDPR as it continues to grow and evolve. I look it at least as almost a starting point and not the end point. I think it's going to continue to evolve after some learnings and so forth. But I think it's had an enormous impact. 

Dave Bittner: Yeah. All right. Well, Andrea Little Limbago, thanks for joining us. 

Dave Bittner: And that's the CyberWire. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.