[Chapter-delegates] Internet Society Data Leaked

Borka Jerman Blazic borka at e5.ijs.si
Thu Feb 17 00:51:54 PST 2022 


+1.

Correct  statement. Clear information will be the best response about 
what has happened. If only vulnerability was discovered then remedy is 
known and there is no damage.

Regards,


Borka



Winthrop Yu via Chapter-delegates je 17. 02. 2022 ob 09:33 napisal:

>  > On 17 Feb 2022 10:13 am, Joly MacFie wrote: > >> While I concur with 
concerns about the transparency, I will just >> say that there is a 
difference between a breach and a detected >> vulnerability, so let's 
not get ahead of ourselves. >> > If the vulnerability were unexploited 
that distinction may hold. If, > as reported by 3rd parties, there is 
ISOC member data out there, then > clearly there was a breach. In any 
case, i believe notification > requirements apply, here in our 
jurisdiction if not in yours. > >> What does seem odd is the length of 
time between the discovery and >> the reaction. >> > ISOC HQ told us to 
expect more information (clarification, details, > etc.), we waited 
patiently as is proper. Should chapters have done > otherwise -- speak 
now or forever hold your peace? :) > > > WYn > > >> On Wed, Feb 16, 2022 
at 7:35 PM Winthrop Yu via Chapter-delegates >> 
<chapter-delegates at elists.isoc.org> wrote: >> >> Olivier, we don't need 
press releases or "updates". >> >> At the very least, we need: >> >> a) 
a clear, comprehensive yet concise official statement from ISOC >> HQ 
regarding the breach. >> >> b) including whether ISOC HQ has notified 
*all* its global members >> (which would include the individual members 
of chapters). >> >> That above is a bare minimum. Then we will have to 
check that >> against any obligations the chapter itself may have under 
local >> law. And we may subsequently need further clarification / >> 
statements from ISOC HQ. >> >> WYn >> >> >> On 17 Feb 2022 1:45 am, 
Olivier MJ Crépin-Leblond via >> Chapter-delegates wrote: >>> Am I the 
only one in Chapter Delegates mailing list who received >>> and read the 
email from Christine Saegesser explaining the >>> problem with 
MemberNova and referring to: >>> >>> "As we noted in our prior email, 
after we learned of the issue, >>> we launched an investigation. The 
investigation is continuing, >>> and we will provide more details when 
we have more information to >>> share. Going forward, updates will be 
posted at >>> updates.internetsociety.org 
<http://updates.internetsociety.org>, >>> and we encourage you to check 
there for additional information. >>> The membership password to access 
this website is >>> ISOC-AMS-Updates (case sensitive)." >>> >>> Or is 
the problem that there does not appear to have been any >>> updates 
since 21st January 2021? >>> >>> Kindest regards, >>> >>> Olivier >>> 
 >>> >>> On 16/02/2022 14:54, Veni Markovski via Chapter-delegates 
wrote: >>>> +1 to the request for more clarity; our members need to be 
 >>>> informed, and I don't want to share on social media a link to >>>> 
an article on some website. There should be something at >>>> isoc.org 
<http://isoc.org>, and in the news section there's >>>> only one press 
release from 2022 - on February 4. >>>> >>>> Also, it's not a good thing 
to find out from a publication >>>> about some of the details (I assume 
not all of them)... >>>> >>>> v/ >>>> >>>> On 2/16/22 04:19, Roland 
Turner via Chapter-delegates wrote: >>>>> Andrew, >>>>> >>>>> Could we 
have a little more clarity on this please? Chapter >>>>> members in 
multiple jurisdictions may have notification >>>>> obligations arising 
from this. >>>>> >>>>> >>>>> The Jan 21 
<https://updates.internetsociety.org/> update >>>>> states: >>>>>> 
Fortunately, we have still not seen any instances of >>>>>> malicious 
access to member data as a result of this issue. >>>>> >>>>> This 
appears a little unclear to me on two important fronts: >>>>> >>>>> 
*"have not seen"* >>>>> >>>>> An adversarial read of this is the rather 
horrifying idea >>>>> that access logging was not turned on, so you (and 
MemberNet) >>>>> haven't the faintest idea whether there were any 
unauthorised >>>>> accesses, which would certainly allow you say that 
you hadn't >>>>> seen any unauthorised accesses but wouldn't mean that 
there >>>>> weren't any, even at a reasonable level of confidence. >>>>> 
Hopefully this is not the case! >>>>> >>>>> *"malicious access"* >>>>> 
 >>>>> The relevant question is not whether any accesses could be >>>>> 
described as malicious, but simply whether they were >>>>> unauthorised. 
An adversarial read of this is that there were >>>>> unauthorised 
accesses, but because you don't have much >>>>> information about the 
unauthorised accessers you not in a >>>>> position to say that they were 
acting maliciously, however >>>>> this would tell us nothing about 
whether there had been >>>>> unauthorised access. Again, hopefully this 
is not the case! >>>>> >>>>> >>>>> To address both concerns, are you 
able to confirm that: >>>>> >>>>> 1. access logging was turned on and 
the logs were >>>>> successfully secured; 2. the logs appear to be 
complete (in >>>>> this case "appear to" is fine; the requirement is 
simply that >>>>> there are no unexplained gaps); and 3. all logged 
accesses >>>>> are authorised (i.e. because they were made by the >>>>> 
application server, not random external IP addresses) >>>>> >>>>> ? 
 >>>>> >>>>> >>>>> - Roland >>>>> >>>>> >>>>> ------------------------- 
 >>>>> >>>>> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates 
 >>>>> wrote: >>>>>> In case you missed it: >>>>>> >>>>>> 
https://www.infosecurity-magazine.com/news/internet-society-data-leaked/ 
 >>>>>> >>>>>> >>>>>> >>>>>> Regards,
>>>>>>  >>>>>> Hank >>>>>> >>>>>> 
_______________________________________________ >> > > 
_______________________________________________ As an Internet > Society 
Chapter Officer you are automatically subscribed to this > list, which 
is regularly synchronized with the Internet Society > Chapter Portal 
(AMS): > https://admin.internetsociety.org/622619/User/Login View the 
Internet > Society Code of Conduct: > 
https://www.internetsociety.org/become-a-member/code-of-conduct/

-- 
Prof.dr.Borka Jerman-Blažič Ex-Head, Laboratory for Open systems and 
Networks Jožef Stefan Institute and Faculty of Economics, Ljubljana 
University Slovenia tel. +386 1 477 3408 tel. +386 1 477 3756 mob. +386 
41 678 410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220217/b9d33391/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: borka.vcf
Type: text/vcard
Size: 4 bytes
Desc: not available
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220217/b9d33391/attachment.vcard>

More information about the Chapter-delegates mailing list