[Chapter-delegates] Internet Society Data Leaked
Roland Turner
roland at rolandturner.com
Thu Feb 17 01:07:41 PST 2022
On 17/2/22 16:39, Joly MacFie via Chapter-delegates wrote:
> As reported by which 3rd parties? The Clario statement
> <https://clario.co/blog/internet-society-member-data-breach/> only
> says the data was unprotected, not that it was exploited.
It states that it was publicly indexed, which would require very
substantial unauthorised access, vs. merely the potential exposure which
has been reported so far.
Granted, it states somewhat confusingly that it was publicly indexed by
an "unknown" public search engine. (How would they know that?)
- Roland
------------------------------------------------------------------------
>
> j
>
> On Thu, Feb 17, 2022 at 3:33 AM Winthrop Yu via Chapter-delegates
> <chapter-delegates at elists.isoc.org> wrote:
>
> On 17 Feb 2022 10:13 am, Joly MacFie wrote:
>
>> While I concur with concerns about the transparency, I will just
>> say that there is a difference between a breach and a detected
>> vulnerability, so let's not get ahead of ourselves.
>>
> If the vulnerability were unexploited that distinction may hold.
> If, as reported by 3rd parties, there is ISOC member data out
> there, then clearly there was a breach. In any case, i believe
> notification requirements apply, here in our jurisdiction if not
> in yours.
>
>> What does seem odd is the length of time between the discovery
>> and the reaction.
>>
> ISOC HQ told us to expect more information (clarification,
> details, etc.), we waited patiently as is proper. Should chapters
> have done otherwise -- speak now or forever hold your peace? :)
>
>
> WYn
>
>
>> On Wed, Feb 16, 2022 at 7:35 PM Winthrop Yu via Chapter-delegates
>> <chapter-delegates at elists.isoc.org> wrote:
>>
>> Olivier, we don't need press releases or "updates".
>>
>> At the very least, we need:
>>
>> a) a clear, comprehensive yet concise official statement
>> from ISOC HQ regarding the breach.
>>
>> b) including whether ISOC HQ has notified *all* its global
>> members (which would include the individual members of chapters).
>>
>> That above is a bare minimum. Then we will have to check that
>> against any obligations the chapter itself may have under
>> local law. And we may subsequently need further clarification
>> / statements from ISOC HQ.
>>
>> WYn
>>
>>
>> On 17 Feb 2022 1:45 am, Olivier MJ Crépin-Leblond via
>> Chapter-delegates wrote:
>>> Am I the only one in Chapter Delegates mailing list who
>>> received and read the email from Christine Saegesser
>>> explaining the problem with MemberNova and referring to:
>>>
>>> "As we noted in our prior email, after we learned of the
>>> issue, we launched an investigation. The investigation
>>> is continuing, and we will provide more details when we have
>>> more information to share. Going forward, updates will
>>> be posted at updates.internetsociety.org
>>> <http://updates.internetsociety.org>, and we encourage you
>>> to check there for additional information. The membership
>>> password to access this website is ISOC-AMS-Updates (case
>>> sensitive)."
>>>
>>> Or is the problem that there does not appear to have been
>>> any updates since 21st January 2021?
>>>
>>> Kindest regards,
>>>
>>> Olivier
>>>
>>>
>>> On 16/02/2022 14:54, Veni Markovski via Chapter-delegates wrote:
>>>> +1 to the request for more clarity; our members need to be
>>>> informed, and I don't want to share on social media a link
>>>> to an article on some website. There should be something at
>>>> isoc.org <http://isoc.org>, and in the news section there's
>>>> only one press release from 2022 - on February 4.
>>>>
>>>> Also, it's not a good thing to find out from a publication
>>>> about some of the details (I assume not all of them)...
>>>>
>>>> v/
>>>>
>>>> On 2/16/22 04:19, Roland Turner via Chapter-delegates wrote:
>>>>> Andrew,
>>>>>
>>>>> Could we have a little more clarity on this please?
>>>>> Chapter members in multiple jurisdictions may have
>>>>> notification obligations arising from this.
>>>>>
>>>>>
>>>>> The Jan 21 <https://updates.internetsociety.org/> update
>>>>> states:
>>>>>> Fortunately, we have still not seen any instances of
>>>>>> malicious access to member data as a result of this issue.
>>>>>
>>>>> This appears a little unclear to me on two important fronts:
>>>>>
>>>>> *"have not seen"*
>>>>>
>>>>> An adversarial read of this is the rather horrifying idea
>>>>> that access logging was not turned on, so you (and
>>>>> MemberNet) haven't the faintest idea whether there were
>>>>> any unauthorised accesses, which would certainly allow you
>>>>> say that you hadn't seen any unauthorised accesses but
>>>>> wouldn't mean that there weren't any, even at a reasonable
>>>>> level of confidence. Hopefully this is not the case!
>>>>>
>>>>> *"malicious access"*
>>>>>
>>>>> The relevant question is not whether any accesses could be
>>>>> described as malicious, but simply whether they were
>>>>> unauthorised. An adversarial read of this is that there
>>>>> were unauthorised accesses, but because you don't have
>>>>> much information about the unauthorised accessers you not
>>>>> in a position to say that they were acting maliciously,
>>>>> however this would tell us nothing about whether there had
>>>>> been unauthorised access. Again, hopefully this is not the
>>>>> case!
>>>>>
>>>>>
>>>>> To address both concerns, are you able to confirm that:
>>>>>
>>>>> 1. access logging was turned on and the logs were
>>>>> successfully secured;
>>>>> 2. the logs appear to be complete (in this case "appear
>>>>> to" is fine; the requirement is simply that there are
>>>>> no unexplained gaps); and
>>>>> 3. all logged accesses are authorised (i.e. because they
>>>>> were made by the application server, not random
>>>>> external IP addresses)
>>>>>
>>>>> ?
>>>>>
>>>>>
>>>>> - Roland
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> On 16/2/22 15:41, Hank Nussbacher via Chapter-delegates wrote:
>>>>>> In case you missed it:
>>>>>>
>>>>>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Hank
>>>>>>
>>>>>> _______________________________________________
>>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically
> subscribed
> to this list, which is regularly synchronized with the Internet
> Society Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct:
> https://www.internetsociety.org/become-a-member/code-of-conduct/
>
>
>
> --
> --------------------------------------
> Joly MacFie +12185659365
> --------------------------------------
> -
>
> _______________________________________________
> As an Internet Society Chapter Officer you are automatically subscribed
> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
> https://admin.internetsociety.org/622619/User/Login
> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220217/4ac6d499/attachment.htm>
More information about the Chapter-delegates
mailing list