[Chapter-delegates] Internet Society Data Leaked

Wed Feb 16 03:54:16 PST 2022

+1 to the request for more clarity; our members need to be informed, and 
I don't want to share on social media a link to an article on some 
website. There should be something at isoc.org, and in the news section 
there's only one press release from 2022 - on February 4.

Also, it's not a good thing to find out from a publication about some of 
the details (I assume not all of them)...

v/

On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
> Andrew,
>
> Could we have a little more clarity on this please? Chapter members in 
> multiple jurisdictions may have notification obligations arising from 
> this.
>
>
> The Jan 21 <https://updates.internetsociety.org/> update states:
>> Fortunately, we have still not seen any instances of malicious access 
>> to member data as a result of this issue.
>
> This appears a little unclear to me on two important fronts:
>
> *"have not seen"*
>
> An adversarial read of this is the rather horrifying idea that access 
> logging was not turned on, so you (and MemberNet) haven't the faintest 
> idea whether there were any unauthorised accesses, which would 
> certainly allow you say that you hadn't seen any unauthorised accesses 
> but wouldn't mean that there weren't any, even at a reasonable level 
> of confidence. Hopefully this is not the case!
>
> *"malicious access"*
>
> The relevant question is not whether any accesses could be described 
> as malicious, but simply whether they were unauthorised. An 
> adversarial read of this is that there were unauthorised accesses, but 
> because you don't have much information about the unauthorised 
> accessers you not in a position to say that they were acting 
> maliciously, however this would tell us nothing about whether there 
> had been unauthorised access. Again, hopefully this is not the case!
>
>
> To address both concerns, are you able to confirm that:
>
>  1. access logging was turned on and the logs were successfully secured;
>  2. the logs appear to be complete (in this case "appear to" is fine;
>     the requirement is simply that there are no unexplained gaps); and
>  3. all logged accesses are authorised (i.e. because they were made by
>     the application server, not random external IP addresses)
>
> ?
>
>
> - Roland
>
>
> ------------------------------------------------------------------------
>
> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>> In case you missed it:
>>
>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>
>>
>> Regards,
>>
>> Hank
>>
>> _______________________________________________
>> As an Internet Society Chapter Officer you are automatically subscribed
>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>> https://admin.internetsociety.org/622619/User/Login
>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>
>
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/

-- 

Best regards,
Veni
https://www.veni.com
pgp:5BA1366Eveni at veni.com

The opinions expressed above are those of the
author, not of any organizations, associated
with or related to him in any given way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220216/02527eac/attachment.htm>