[Chapter-delegates] Internet Society Data Leaked

Roland Turner roland at rolandturner.com
Wed Feb 16 01:19:46 PST 2022 

Andrew,

Could we have a little more clarity on this please? Chapter members in 
multiple jurisdictions may have notification obligations arising from this.


The Jan 21 <https://updates.internetsociety.org/> update states:
> Fortunately, we have still not seen any instances of malicious access 
> to member data as a result of this issue.

This appears a little unclear to me on two important fronts:

*"have not seen"*

An adversarial read of this is the rather horrifying idea that access 
logging was not turned on, so you (and MemberNet) haven't the faintest 
idea whether there were any unauthorised accesses, which would certainly 
allow you say that you hadn't seen any unauthorised accesses but 
wouldn't mean that there weren't any, even at a reasonable level of 
confidence. Hopefully this is not the case!

*"malicious access"*

The relevant question is not whether any accesses could be described as 
malicious, but simply whether they were unauthorised. An adversarial 
read of this is that there were unauthorised accesses, but because you 
don't have much information about the unauthorised accessers you not in 
a position to say that they were acting maliciously, however this would 
tell us nothing about whether there had been unauthorised access. Again, 
hopefully this is not the case!


To address both concerns, are you able to confirm that:

 1. access logging was turned on and the logs were successfully secured;
 2. the logs appear to be complete (in this case "appear to" is fine;
    the requirement is simply that there are no unexplained gaps); and
 3. all logged accesses are authorised (i.e. because they were made by
    the application server, not random external IP addresses)

?


- Roland


------------------------------------------------------------------------

On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
> In case you missed it:
>
> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>
>
> Regards,
>
> Hank
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220216/c95471f4/attachment.htm>

More information about the Chapter-delegates mailing list