[Chapter-delegates] Internet Society Data Leaked

Wed Feb 16 12:38:58 PST 2022

I think that a guidance from ISOC would have been nice, e.g. "Please, 
inform your chapter members on that leak, provide them with ..., ... and 
..." That's being proactive, and not wait to hear about a problem, but 
guide us on how to address it. Not every chapter has lawyers available, 
so they can figure out a language.
Also would have been good to provide this update in a form that is more 
useful. The current message is not very clear: "...made some Internet 
Society member data publicly accessible. After resolving the issue, we 
restored our MemberNova service on 21 December 2021. Fortunately, we 
have still not seen any instances of malicious access to member data as 
a result of this issue."

"Some"? What exactly?
"Have not seen" and "malicious"?

v/

On 2/16/22 12:45, Olivier MJ Crépin-Leblond wrote:
> Am I the only one in Chapter Delegates mailing list who received and 
> read the email from Christine Saegesser explaining the problem with 
> MemberNova and referring to:
>
> "As we noted in our prior email, after we learned of the issue, we 
> launched an investigation. The investigation is continuing, and we 
> will provide more details when we have more information to share. 
> Going forward, updates will be posted at updates.internetsociety.org 
> <http://updates.internetsociety.org>, and we encourage you to check 
> there for additional information. The membership password to access 
> this website is ISOC-AMS-Updates (case sensitive)."
>
> Or is the problem that there does not appear to have been any updates 
> since 21st January 2021?
>
> Kindest regards,
>
> Olivier
>
> On 16/02/2022 14:54, Veni Markovski via Chapter-delegates wrote:
>> +1 to the request for more clarity; our members need to be informed, 
>> and I don't want to share on social media a link to an article on 
>> some website. There should be something at isoc.org, and in the news 
>> section there's only one press release from 2022 - on February 4.
>>
>> Also, it's not a good thing to find out from a publication about some 
>> of the details (I assume not all of them)...
>>
>> v/
>>
>> On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
>>> Andrew,
>>>
>>> Could we have a little more clarity on this please? Chapter members 
>>> in multiple jurisdictions may have notification obligations arising 
>>> from this.
>>>
>>>
>>> The Jan 21 <https://updates.internetsociety.org/> update states:
>>>> Fortunately, we have still not seen any instances of malicious 
>>>> access to member data as a result of this issue.
>>>
>>> This appears a little unclear to me on two important fronts:
>>>
>>> *"have not seen"*
>>>
>>> An adversarial read of this is the rather horrifying idea that 
>>> access logging was not turned on, so you (and MemberNet) haven't the 
>>> faintest idea whether there were any unauthorised accesses, which 
>>> would certainly allow you say that you hadn't seen any unauthorised 
>>> accesses but wouldn't mean that there weren't any, even at a 
>>> reasonable level of confidence. Hopefully this is not the case!
>>>
>>> *"malicious access"*
>>>
>>> The relevant question is not whether any accesses could be described 
>>> as malicious, but simply whether they were unauthorised. An 
>>> adversarial read of this is that there were unauthorised accesses, 
>>> but because you don't have much information about the unauthorised 
>>> accessers you not in a position to say that they were acting 
>>> maliciously, however this would tell us nothing about whether there 
>>> had been unauthorised access. Again, hopefully this is not the case!
>>>
>>>
>>> To address both concerns, are you able to confirm that:
>>>
>>>  1. access logging was turned on and the logs were successfully secured;
>>>  2. the logs appear to be complete (in this case "appear to" is
>>>     fine; the requirement is simply that there are no unexplained
>>>     gaps); and
>>>  3. all logged accesses are authorised (i.e. because they were made
>>>     by the application server, not random external IP addresses)
>>>
>>> ?
>>>
>>>
>>> - Roland
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>>>> In case you missed it:
>>>>
>>>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Hank
>>>>
>>>> _______________________________________________
>>>> As an Internet Society Chapter Officer you are automatically subscribed
>>>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>>>> https://admin.internetsociety.org/622619/User/Login
>>>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>>>
>>>
>>>
>>> _______________________________________________
>>> As an Internet Society Chapter Officer you are automatically subscribed
>>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>>> https://admin.internetsociety.org/622619/User/Login
>>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>>
>> -- 
>>
>> Best regards,
>> Veni
>> https://www.veni.com
>> pgp:5BA1366Eveni at veni.com
>>
>> The opinions expressed above are those of the
>> author, not of any organizations, associated
>> with or related to him in any given way.
>>
>> _______________________________________________
>> As an Internet Society Chapter Officer you are automatically subscribed
>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>> https://admin.internetsociety.org/622619/User/Login
>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>
> -- 
> Olivier MJ Crépin-Leblond, PhD
> http://www.gih.com/ocl.html

-- 

Best regards,
Veni
https://www.veni.com
pgp:5BA1366Eveni at veni.com

The opinions expressed above are those of the
author, not of any organizations, associated
with or related to him in any given way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220216/18a4312e/attachment.htm>