[Chapter-delegates] Internet Society Data Leaked

Winthrop Yu w.yu at gmx.net
Thu Feb 17 00:33:04 PST 2022 

On 17 Feb 2022 10:13 am, Joly MacFie wrote:

> While I concur with concerns about the transparency, I will just say 
> that there is a difference between a breach and a detected vulnerability, so 
> let's not get ahead of ourselves.
>
If the vulnerability were unexploited that distinction may hold. If, as reported 
by 3rd parties, there is ISOC member data out there, then clearly there was a 
breach. In any case, i believe notification requirements apply, here in our 
jurisdiction if not in yours.

> What does seem odd is the length of time between the discovery and the reaction.
>
ISOC HQ told us to expect more information (clarification, details, etc.), we 
waited patiently as is proper. Should chapters have done otherwise -- speak now 
or forever hold your peace? :)


WYn


> On Wed, Feb 16, 2022 at 7:35 PM Winthrop Yu via Chapter-delegates 
> <chapter-delegates at elists.isoc.org> wrote:
>
>     Olivier, we don't need press releases or "updates".
>
>     At the very least, we need:
>
>     a)  a clear, comprehensive yet concise official statement from ISOC HQ
>     regarding the breach.
>
>     b)  including whether ISOC HQ has notified *all* its global members (which
>     would include the individual members of chapters).
>
>     That above is a bare minimum. Then we will have to check that against any
>     obligations the chapter itself may have under local law. And we may
>     subsequently need further clarification / statements from ISOC HQ.
>
>     WYn
>
>
>     On 17 Feb 2022 1:45 am, Olivier MJ Crépin-Leblond via Chapter-delegates wrote:
>>     Am I the only one in Chapter Delegates mailing list who received and read
>>     the email from Christine Saegesser explaining the problem with MemberNova
>>     and referring to:
>>
>>     "As we noted in our prior email, after we learned of the issue, we
>>     launched an investigation. The investigation is continuing, and we will
>>     provide more details when we have more information to share. Going
>>     forward, updates will be posted at updates.internetsociety.org
>>     <http://updates.internetsociety.org>, and we encourage you to check
>>     there for additional information. The membership password to access
>>     this website is ISOC-AMS-Updates (case sensitive)."
>>
>>     Or is the problem that there does not appear to have been any updates
>>     since 21st January 2021?
>>
>>     Kindest regards,
>>
>>     Olivier
>>
>>
>>     On 16/02/2022 14:54, Veni Markovski via Chapter-delegates wrote:
>>>     +1 to the request for more clarity; our members need to be informed, and
>>>     I don't want to share on social media a link to an article on some
>>>     website. There should be something at isoc.org <http://isoc.org>, and in
>>>     the news section there's only one press release from 2022 - on February 4.
>>>
>>>     Also, it's not a good thing to find out from a publication about some of
>>>     the details (I assume not all of them)...
>>>
>>>     v/
>>>
>>>     On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
>>>>     Andrew,
>>>>
>>>>     Could we have a little more clarity on this please? Chapter members in
>>>>     multiple jurisdictions may have notification obligations arising from this.
>>>>
>>>>
>>>>     The Jan 21 <https://updates.internetsociety.org/> update states:
>>>>>     Fortunately, we have still not seen any instances of malicious access
>>>>>     to member data as a result of this issue.
>>>>
>>>>     This appears a little unclear to me on two important fronts:
>>>>
>>>>     *"have not seen"*
>>>>
>>>>     An adversarial read of this is the rather horrifying idea that access
>>>>     logging was not turned on, so you (and MemberNet) haven't the faintest
>>>>     idea whether there were any unauthorised accesses, which would
>>>>     certainly allow you say that you hadn't seen any unauthorised accesses
>>>>     but wouldn't mean that there weren't any, even at a reasonable level of
>>>>     confidence. Hopefully this is not the case!
>>>>
>>>>     *"malicious access"*
>>>>
>>>>     The relevant question is not whether any accesses could be described as
>>>>     malicious, but simply whether they were unauthorised. An adversarial
>>>>     read of this is that there were unauthorised accesses, but because you
>>>>     don't have much information about the unauthorised accessers you not in
>>>>     a position to say that they were acting maliciously, however this would
>>>>     tell us nothing about whether there had been unauthorised access.
>>>>     Again, hopefully this is not the case!
>>>>
>>>>
>>>>     To address both concerns, are you able to confirm that:
>>>>
>>>>      1. access logging was turned on and the logs were successfully secured;
>>>>      2. the logs appear to be complete (in this case "appear to" is fine;
>>>>         the requirement is simply that there are no unexplained gaps); and
>>>>      3. all logged accesses are authorised (i.e. because they were made by
>>>>         the application server, not random external IP addresses)
>>>>
>>>>     ?
>>>>
>>>>
>>>>     - Roland
>>>>
>>>>
>>>>     --------------------------------------------------------------------------------
>>>>
>>>>     On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>>>>>     In case you missed it:
>>>>>
>>>>>     https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>>>>
>>>>>
>>>>>     Regards,
>>>>>
>>>>>     Hank
>>>>>
>>>>>     _______________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220217/d364679f/attachment.htm>

More information about the Chapter-delegates mailing list