[Chapter-delegates] Internet Society Data Leaked

Thu Feb 17 00:39:39 PST 2022

As reported by which 3rd parties? The Clario statement
<https://clario.co/blog/internet-society-member-data-breach/> only says the
data was unprotected, not that it was exploited.

j

On Thu, Feb 17, 2022 at 3:33 AM Winthrop Yu via Chapter-delegates <
chapter-delegates at elists.isoc.org> wrote:

> On 17 Feb 2022 10:13 am, Joly MacFie wrote:
>
> While I concur with concerns about the transparency, I will just say
> that there is a difference between a breach and a detected vulnerability,
> so let's not get ahead of ourselves.
>
> If the vulnerability were unexploited that distinction may hold. If, as
> reported by 3rd parties, there is ISOC member data out there, then clearly
> there was a breach. In any case, i believe notification requirements apply,
> here in our jurisdiction if not in yours.
>
> What does seem odd is the length of time between the discovery and the
> reaction.
>
> ISOC HQ told us to expect more information (clarification, details, etc.),
> we waited patiently as is proper. Should chapters have done otherwise --
> speak now or forever hold your peace? :)
>
>
> WYn
>
> On Wed, Feb 16, 2022 at 7:35 PM Winthrop Yu via Chapter-delegates <
> chapter-delegates at elists.isoc.org> wrote:
>
>> Olivier, we don't need press releases or "updates".
>>
>> At the very least, we need:
>>
>> a)  a clear, comprehensive yet concise official statement from ISOC HQ
>> regarding the breach.
>>
>> b)  including whether ISOC HQ has notified *all* its global members
>> (which would include the individual members of chapters).
>>
>> That above is a bare minimum. Then we will have to check that against any
>> obligations the chapter itself may have under local law. And we may
>> subsequently need further clarification / statements from ISOC HQ.
>>
>> WYn
>>
>>
>> On 17 Feb 2022 1:45 am, Olivier MJ Crépin-Leblond via Chapter-delegates
>> wrote:
>>
>> Am I the only one in Chapter Delegates mailing list who received and read
>> the email from Christine Saegesser explaining the problem with MemberNova
>> and referring to:
>>
>> "As we noted in our prior email, after we learned of the issue, we
>> launched an investigation. The investigation is continuing, and we will
>> provide more details when we have more information to share. Going forward,
>> updates will be posted at updates.internetsociety.org, and we encourage
>> you to check there for additional information. The membership password
>> to access this website is ISOC-AMS-Updates (case sensitive)."
>>
>> Or is the problem that there does not appear to have been any updates
>> since 21st January 2021?
>>
>> Kindest regards,
>>
>> Olivier
>>
>>
>> On 16/02/2022 14:54, Veni Markovski via Chapter-delegates wrote:
>>
>> +1 to the request for more clarity; our members need to be informed, and
>> I don't want to share on social media a link to an article on some website.
>> There should be something at isoc.org, and in the news section there's
>> only one press release from 2022 - on February 4.
>>
>> Also, it's not a good thing to find out from a publication about some of
>> the details (I assume not all of them)...
>>
>> v/
>>
>> On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
>>
>> Andrew,
>>
>> Could we have a little more clarity on this please? Chapter members in
>> multiple jurisdictions may have notification obligations arising from this.
>>
>>
>> The Jan 21 <https://updates.internetsociety.org/> update states:
>>
>> Fortunately, we have still not seen any instances of malicious access to
>> member data as a result of this issue.
>>
>>
>> This appears a little unclear to me on two important fronts:
>>
>> *"have not seen"*
>>
>> An adversarial read of this is the rather horrifying idea that access
>> logging was not turned on, so you (and MemberNet) haven't the faintest idea
>> whether there were any unauthorised accesses, which would certainly allow
>> you say that you hadn't seen any unauthorised accesses but wouldn't mean
>> that there weren't any, even at a reasonable level of confidence. Hopefully
>> this is not the case!
>>
>> *"malicious access"*
>>
>> The relevant question is not whether any accesses could be described as
>> malicious, but simply whether they were unauthorised. An adversarial read
>> of this is that there were unauthorised accesses, but because you don't
>> have much information about the unauthorised accessers you not in a
>> position to say that they were acting maliciously, however this would tell
>> us nothing about whether there had been unauthorised access. Again,
>> hopefully this is not the case!
>>
>>
>> To address both concerns, are you able to confirm that:
>>
>>    1. access logging was turned on and the logs were successfully
>>    secured;
>>    2. the logs appear to be complete (in this case "appear to" is fine;
>>    the requirement is simply that there are no unexplained gaps); and
>>    3. all logged accesses are authorised (i.e. because they were made by
>>    the application server, not random external IP addresses)
>>
>> ?
>>
>>
>> - Roland
>>
>>
>> ------------------------------
>>
>> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>>
>> In case you missed it:
>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>
>>
>> Regards,
>>
>> Hank
>>
>> _______________________________________________
>>
>> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society
> Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct:
> https://www.internetsociety.org/become-a-member/code-of-conduct/
>

-- 
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220217/ef4211fe/attachment.htm>