CyberWire Daily - AWS resolves service issues. A summit stand-off. Dark web chatter, and arbitrage courts in the C2C world. Looking for stolen or lost alt-coin.
Episode Date: December 8, 2021Amazon resolves its Tuesday outage as observers wonder about cloud risks. A stand-off at the Russo-American summit, but chatter in the dark web suggests that the Russophone underworld is feeling uneas...y. A look at the arbitrage process that governs the criminal-to-criminal market. Carole Theriault reads the fine print. Andrea Little Limbago looks at global regulatory regimes. A DeFi platform asks for its stolen money back, and a guy looks for his private key in a physical garbage dump. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/234 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Amazon resolves its Tuesday outage as observers wonder about cloud risks,
a standoff at the Russo-American summit.
A look at the arbitrage process that governs the criminal-to-criminal market.
Kirill Terrio reads the fine print.
Andrea Little-Limbago looks at global regulatory regimes.
A DeFi platform asks for its stolen money back.
And a guy looks for his private key in a physical garbage dump.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 8th, 2021. Amazon Web Services says it's back after an outage yesterday afternoon that centered on
the U.S. East Coast and had geographically wide-ranging effects. Media coverage focused on disruptions
to package deliveries, the interruption of online entertainment channels, and the unavailability
of various home IoT and media devices like Alexa and Ring security systems. But the outage was
striking in the extent to which it disrupted cloud services that businesses and agencies have come to depend upon.
At 9.37 a.m. Pacific Standard Time,
Amazon first reported impact to multiple AWS APIs in the U.S. East One region
and said the issue was also affecting some monitoring and incident response capabilities.
The first notice said,
we have identified the root cause and are actively working towards recovery.
Users had been reporting outages for some time before Amazon's announcement.
The AP tweeted the story about half an hour before Amazon's first disclosure.
Breaking, the wire services said,
Users say Amazon Web Services is suffering a major outage and few details are available.
End quote.
Amazon provided brief updates throughout the day.
provided brief updates throughout the day. At 4.35 p.m. Pacific Standard Time, AWS reported the issue resolved about eight hours after disruptions began to be reported. Their final update read,
quote, with the network device issues resolved, we are now working towards recovery of any impaired
services. We will provide additional updates for impaired services within the appropriate entry in the service health dashboard.
Quartz argues that the incident, which was by all accounts an accidental outage and not the result of an attack, shows how dependent commerce, the IoT, and the cloud have become on AWS.
We heard from the SANS Institute while the incident was in progress. Ed Skotis, president of
the SANS Technology Institute, wrote, quote, this is yet another glimpse of how interconnected our
services have become, with the immense complexity of cloud deployments impacting large numbers of
enterprises and consumers. Cloud services are generally wellrun and suffer fewer outages than individual organizations' networks.
That said, when there's a bump in the night for a cloud provider,
it impacts a huge number of users, and often in unexpected ways.
We seem to be getting hit with these kinds of outages every month or two, and that's disheartening.
So far, the vast majority of them are from operational errors, misconfigurations, or bad software updates, and not a cyber attack.
His colleague, John Pescatori, Director of Emerging Security Trends at the SANS Technology Institute,
sees a risky monoculture and advises organizations to look for redundancy and reserve capability.
Quote,
to look for redundancy and reserve capability.
Quote,
Outages like this one and earlier ones at AWS happen regularly across cloud service providers
and most commonly are due to self-inflicted wounds.
A cloud service level agreement of 99% uptime
still allows almost 8 hours per month of downtime.
Businesses need to invest in redundant or backup capabilities
or pay for higher levels of
guaranteed availability to preserve critical business services when running in the cloud.
Larger businesses also need to look at their suppliers and see if they are subject to
concentration risk. Too high a percentage of suppliers on one cloud service and even a short
outage can be disastrous to business.
End quote.
Reports from yesterday's Russo-U.S. summit indicate that both sides held their lines.
Bloomberg quotes Russian sources as calling the tone frank and businesslike.
President Putin demanded an end to U.S. activity Russia regards as threatening.
President Biden warned that Russian invasion of Ukraine would draw severe economic sanctions and additional military aid to Kiev. Reuters
reports that Russian sources say the two presidents committed to further talks and
emphasize that Russia's principal interest lies in obtaining assurances that NATO won't deploy
offensive strike weapons in the near abroad.
The reports all suggest that the prospect of more widespread fighting in Ukraine was the
principal focus of discussion, but it's important to remember that cyber operations now precede,
accompany, and follow kinetic fighting. Researchers at Trustwave's Spider Labs have been reading the chatter in
russophone criminal circles, and they see signs of unease. Recent high-profile enforcement actions
have put them on guard, and many posts suggest that a sense of being protected by the Russian
government may be eroding. Some of the posts show a good mastery of the paranoid style, like this one,
quote, incidentally, there are the recent secret negotiations on cybercrime between the Russian
Federation and the United States, end quote. There are other laments that suggest a sense that their
world, too, may pass away, quote, in politics, individuals often become a bargaining chip from ancient Rome.
There are no guarantees that Article 272 of the Criminal Code of the Russian Federation
will never be applied because of the criminal operations to those who work in the U.S.
And yes, Putin is not eternal.
Who will replace and what will be the foreign policy agreements, relations,
and the internal accents in law
enforcement practice, no one knows, end quote. Indeed, who does know? Although Mr. Putin and
his legacy don't seem to be going anywhere soon. In any case, Trustwave thinks that however unstable
the ground under their feet may now be feeling, the cyber gangs are likely to stay put in a geographical
sense. They know their home turf, having survived there so far, and are likely to feel safer in an
arguably friendlier and perhaps more corruptible environment than they might encounter elsewhere.
But the gangs are getting wary, and that's probably, on balance, a good thing.
getting wary, and that's probably, on balance, a good thing. Researchers at AnalystOne have found that the cyber underground has its own courts, forums for resolving disputes among criminals.
The process is generally referred to as arbitrage, and the plaintiffs typically ask for compensation
ranging from hundreds to thousands of U.S. dollars. Most criminal communities, and these are most usefully defined
by the languages in which they conduct their C2C business,
has its arbitrage process.
Analyst 1 explains how it works.
To initiate the process, the accuser must open a thread
in a dedicated sub-forum that usually has the title court or arbitrage
and provide the following details. A brief of the claim, the nickname of the defendant,
including the link to his profile, and the defendant's contact information from telegram,
jabber, or email address. The process doesn't preclude direct action by an aggrieved party.
If they're angry enough, they'll retaliate,
usually by posting full identifying details about their adversary
in a place where the authorities can find it
and where other criminals will know that the hood who's failed to deliver
or otherwise cheated a colleague is someone to avoid.
Vice reports that Badger DAO,
which last week lost about $119 million to criminals who rifled its decentralized finance, that's DeFi platform, has asked the crooks to please return what they stole.
to the unknown crooks, quote, you have taken funds that do not belong to you, but we are willing to work with you and compensate you for identifying this vulnerability in the systems. We are providing
you with a direct line of communication to discuss a peaceful resolution without involving any
outside parties. Contact us to discuss further and do the right thing on behalf of the community,
end quote. So the hope would be that they'd be able to cut their losses
and turn the episode into a kind of bug bounty payout.
And what would be in it for the criminals?
If they're not hardened crooks, but perhaps hackers in it for the lulz,
it might offer them a way of climbing down from an uncomfortable perch.
Or it might be a way for actual criminals
to maybe limit their legal exposure if they're feeling the hot breath of the law on their neck.
And hey everybody, the New Yorker says, this guy in Wales has been rooting through dumps looking
for an old gaming hard drive he tossed out after he spilled juice on it,
forgetting that the same drive held the private key for some early Bitcoin mining he'd done back in the day when mining was young and relatively cheap, more a matter for hobbyists than for speculators.
It would be worth, well, a whole lot, he thinks, if he could find his way back into that wallet.
The New Yorker's headline says there's maybe half a billion bucks in that dump.
Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
We are all familiar with the standard routine when faced with pages and pages of fine print.
For most of us, just click agree and be done with it.
Our UK correspondent Carol Terrio says, not so fast.
Okay, so analogy time.
To drive home the point about privacy, I want us to think about dating.
Like when you go out on a date, one obviously puts their best foot forward.
And it makes sense that someone wouldn't want to lead with something that they are insecure about.
Say, a behavior or attribute.
You might focus on your winning personality instead of your punch, your beautiful eyes,
not your crooked front tooth. And these aren't lies, but they are characteristics that you have highlighted as your most attractive points. The things that might get someone to do a double take
in the gym or supermarket or swipe right on
a dating app. And I'm comparing this to how companies behave. In the same way that someone
wants to date you, companies want to secure your business. There's this idea in the business world
of a unique selling point or USP. And it basically refers to what a company wants to shout loudest about or what's better than the main competitor out there.
Could the company have a complete deal breaker hidden in their closet that if you knew about, you would be looking the other way?
Sure. And that's why they're going to keep it hidden until they secure your business.
So, for example, if your service has a longer lag time when performing a task, the website might crow about how it's cheaper than the competitor.
Or if your device design is not the best, you might focus on the neat configuration options you've added to stand apart from the crowd.
If you provided a streaming service, you might talk about the sheer amount of content available, not the fact that you are hoovering up millions of data points about the viewer for increased ad revenue generation. You get my drift. They shed about the good,
they hide the not so good, all in the aim of securing your business. And you might find out
about a potential deal breaker, but like in the dating world, it sometimes will be too late
because you've already committed or it's just too difficult to extricate yourself.
And this, my dear listeners, is why you look at the terms and conditions, the legalese. This is where they can reveal a few things about how they operate that you might be fine with or really not
fine with. The thing is, in the legalese, the statements they make are legally tenable. I cannot think of a company that
leads with how they process your data for their benefit, but they have to tell you about it in
the legal statements. So before you download an app or purchase a smart device or online service,
check the terms and conditions and the privacy statements. And when they get updated, review
these changes. I promise it's worth it.
You might find out that some companies are completely above board,
but you might also find out that some are scraping the barrel.
This was Carol Theriault for The Cyber Wire. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is Andrea Little-Limbago. She is Vice President
of Research and Analysis at Interos. Andrea, it's always great to have you back. I wanted to touch
today on things that you're tracking when it comes to the regulatory situation globally. I mean,
what are we seeing in terms of trends there? Yeah, there are a lot, to be honest. And so,
we often think about how technology advances exponentially and so forth, but policy
lags well behind. And it has.
We've seen that. Policy is really trying to catch up right now. And we've seen it over the last
couple of years, and it really is expanding in a significant amount as well. And so what we've
seen in the last couple of years, GDPR on the privacy side really has kicked off a lot of big
focus and impetus towards focusing on privacy. And that's had a lot of global repercussions.
and impetus towards focusing on privacy.
And that's had a lot of global repercussions.
Both Brazil's had a similar law that was passed, California.
Again, they mirror, they're not identical,
but they mirror and they lean and learn from each other.
But most recently in the US, Colorado, Virginia passed one this year.
And so we're seeing a lot in that regard.
Even to the point, an interesting component for that
is that China's data privacy law
just came into effect on November
1. And that also actually borrows a decent amount from the GDPR, which may surprise a lot of people,
but it's part of their broader focus on reigning in the tech companies as well. And so it takes
aspects such as data minimalization and transparency, data transfer requirements and so forth.
And so it does actually, some of it you can read sounds somewhat similar to the GDPR as far as mirroring it.
But the core aspect of that one that the other privacy laws don't have is it still enables tons of access to the data by the government.
So basically still is, you know, government can still do what they want to do with the data, have access upon asking for it, complements their other cybersecurity and data
protection or data security laws that have come into play in the last few years as well. So that's
a very big distinction. Privacy in air quotes, right? Yeah. For the Chinese. But it is interesting
because they are reigning in big tech in a very different way than what we're seeing in the U.S.
and in Europe. In general, you know, we've had
GDPR active for a while now. How are people looking at it? Is it generally considered to be
a success? Is there more to be done? Are people disappointed it hasn't done more?
Where have we landed with that? I think all of the above.
Depends on who you ask. Depends on who you ask.
Depends on who you ask.
Lawyers will have a lot of issues because some of it wasn't detailed enough.
In some cases, it became apparent that the legal infrastructure for actually seeing a lot of the cases wasn't necessarily in place when GDPR came into effect.
And so there have been a lot of learnings in that regard.
Where I'd argue it's been a huge success is really just in promoting the notion of data privacy for individual data privacy rights.
And so if we were to focus on that as a metric, I think it has been a huge success as far as basically empowering and influencing other forms of similar regulations across the globe.
It also does counter what we're seeing a lot as far as more government access to data.
It's basically the counterweight to that, which is desperately needed. So I think in that regard,
it's also been a success. But there's a lot, I think, more that needs to be done, a lot of
lessons have been learned. And that's where I think it's actually really interesting where you
start seeing how Brazil or how some of the different states in the U.S., how some of the countries across Africa actually are also, about 50% of the countries have now enacted some level of data privacy law there,
and much of it influenced by what's going on in GDPR.
So it's interesting seeing how different countries are starting to implement aspects of it,
which I also think can help inform the GDPR as it continues to grow and evolve.
I look at it at least as almost a starting point and not the end point.
I think it's going to continue to evolve after some learnings and so forth.
But I think it's had an enormous impact.
Yeah.
All right.
Well, Andrea Little-Limbago, thanks for joining us.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at
thecyberwire.com.
The Cyber Wire podcast is proudly produced
in Maryland out of the startup studios of Data
Tribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.