[Chapter-delegates] Internet Society Data Leaked
Joyce Dogniez
dogniez at isoc.org
Wed Feb 16 09:45:32 PST 2022
Hi everyone,
Thanks for sharing your questions and concerns.
Some of you may remember our communication about the data security issue relating to MemberNova on the 21 December 2021 (attaching the email here for those of you who may not have been part of the list at the time).
We directed you to updates.internetsociety.org for additional updates (membership password to access this website is ISOC-AMS-Updates (case sensitive)).
We are currently updating the FAQ section of this website in response to your feedback.
We’ll let you know when these updates have been made.
Warm regards
Joyce
On 16/02/2022, 14:04, "Chapter-delegates on behalf of Juan C. Cigala, Internet Society Canarias via Chapter-delegates" <chapter-delegates-bounces at elists.isoc.org on behalf of chapter-delegates at elists.isoc.org> wrote:
+1
--
Juan C. Cigala
On 2/16/2022 11:54, Veni Markovski via Chapter-delegates wrote:
> +1 to the request for more clarity; our members need to be informed,
> and I don't want to share on social media a link to an article on some
> website. There should be something at isoc.org, and in the news
> section there's only one press release from 2022 - on February 4.
>
> Also, it's not a good thing to find out from a publication about some
> of the details (I assume not all of them)...
>
> v/
>
> On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
>> Andrew,
>>
>> Could we have a little more clarity on this please? Chapter members
>> in multiple jurisdictions may have notification obligations arising
>> from this.
>>
>>
>> The Jan 21 <https://updates.internetsociety.org/> update states:
>>> Fortunately, we have still not seen any instances of malicious
>>> access to member data as a result of this issue.
>>
>> This appears a little unclear to me on two important fronts:
>>
>> *"have not seen"*
>>
>> An adversarial read of this is the rather horrifying idea that access
>> logging was not turned on, so you (and MemberNet) haven't the
>> faintest idea whether there were any unauthorised accesses, which
>> would certainly allow you say that you hadn't seen any unauthorised
>> accesses but wouldn't mean that there weren't any, even at a
>> reasonable level of confidence. Hopefully this is not the case!
>>
>> *"malicious access"*
>>
>> The relevant question is not whether any accesses could be described
>> as malicious, but simply whether they were unauthorised. An
>> adversarial read of this is that there were unauthorised accesses,
>> but because you don't have much information about the unauthorised
>> accessers you not in a position to say that they were acting
>> maliciously, however this would tell us nothing about whether there
>> had been unauthorised access. Again, hopefully this is not the case!
>>
>>
>> To address both concerns, are you able to confirm that:
>>
>> 1. access logging was turned on and the logs were successfully secured;
>> 2. the logs appear to be complete (in this case "appear to" is fine;
>> the requirement is simply that there are no unexplained gaps); and
>> 3. all logged accesses are authorised (i.e. because they were made
>> by the application server, not random external IP addresses)
>>
>> ?
>>
>>
>> - Roland
>>
>>
>> ------------------------------------------------------------------------
>>
>> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>>> In case you missed it:
>>>
>>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>>
>>>
>>> Regards,
>>>
>>> Hank
>>>
>>> _______________________________________________
>>> As an Internet Society Chapter Officer you are automatically subscribed
>>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>>> https://admin.internetsociety.org/622619/User/Login
>>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>>
>>
>>
>> _______________________________________________
>> As an Internet Society Chapter Officer you are automatically subscribed
>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>> https://admin.internetsociety.org/622619/User/Login
>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>
> --
>
> Best regards,
> Veni
> https://www.veni.com
> pgp:5BA1366Eveni at veni.com
>
> The opinions expressed above are those of the
> author, not of any organizations, associated
> with or related to him in any given way.
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct: https://www.internetsociety.org/become-a-member/code-of-conduct/
_______________________________________________
As an Internet Society Chapter Officer you are automatically subscribed
to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
https://admin.internetsociety.org/622619/User/Login
View the Internet Society Code of Conduct: https://www.internetsociety.org/become-a-member/code-of-conduct/
-------------- next part --------------
An embedded message was scrubbed...
From: Christine Saegesser via Chapter-delegates
<chapter-delegates at elists.isoc.org>
Subject: [Chapter-delegates] MemberNova Update
Date: Tue, 21 Dec 2021 16:13:57 +0000
Size: 32551
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220216/34383523/attachment.eml>
More information about the Chapter-delegates
mailing list