[Chapter-delegates] Internet Society Data Leaked
Roland Turner
roland at rolandturner.com
Fri Feb 18 03:21:26 PST 2022
Response from Clario (private email):
> Thanks for getting in touch!
>
> The instance in question was indexed by Grayhat Warfare search engine.
> We hope you liked the article and found it useful.
Additions to ISoc's FAQ <https://updates.internetsociety.org/faq/> on this:
> Due to the nature of the configuration as a public container, the logs
> do not contain sufficient information to provide us with a complete
> record of data access.
Quite how this is possible is not clear to me (they're using a hosting
provider which loses logs constantly?).
>
> Do Internet Society chapter leaders have any legal
> obligations to formally notify chapter members about this
> issue or provide additional information?
>
> Given the nature of this issue, we can confirm that the Internet
> Society is the data owner/data controller for any member data that may
> have been publicly accessible. Because the Internet Society is the
> data owner/data controller, any legal obligations to provide notice
> would belong to the Internet Society, as opposed to any chapters. We
> also notified individual members directly of the issue.
>
This is an interesting claim, particularly given that chapters are or
can be separate legal entities. I'm not yet sure what to make of it.
- Roland
------------------------------------------------------------------------
On 17/2/22 18:23, Roland Turner wrote:
> On 17/2/22 17:29, Joly MacFie wrote:
>
>> I can't quite grasp how something can be both public and unknown..
>> Sounds like speculation to me.
> Sure, but as presented the report also appears speculative. We simply
> don't know at this point whether there was or was not unauthorised
> access other than by Clario and neither does Clario. ISoc presumably
> does either:
>
> * know, because either all or not all accesses were authorised or
> Clario's; or
> * know that this is unknowable (because logging was turned off)
>
> but hasn't at this point shared this information. This is a
> problematic situation for dozens of chapters, whether or not anyone
> happens also to have information indicating active exploitation.
>
> - Roland
>
> ------------------------------------------------------------------------
>
> On 17/2/22 17:29, Joly MacFie wrote:
>> > It states that it was publicly indexed,
>>
>> by an "Unknown public search engine"
>>
>> I can't quite grasp how something can be both public and unknown..
>> Sounds like speculation to me.
>>
>> What is more likely is that Clario were methodically running pen
>> tests on AWS blobs, and got lucky.
>>
>> joly
>>
>> On Thu, Feb 17, 2022 at 4:07 AM Roland Turner via Chapter-delegates
>> <chapter-delegates at elists.isoc.org> wrote:
>>
>> On 17/2/22 16:39, Joly MacFie via Chapter-delegates wrote:
>>
>>> As reported by which 3rd parties? The Clario statement
>>> <https://clario.co/blog/internet-society-member-data-breach/> only
>>> says the data was unprotected, not that it was exploited.
>>
>> It states that it was publicly indexed, which would require very
>> substantial unauthorised access, vs. merely the potential
>> exposure which has been reported so far.
>>
>> Granted, it states somewhat confusingly that it was publicly
>> indexed by an "unknown" public search engine. (How would they
>> know that?)
>>
>> - Roland
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>>>
>>> j
>>>
>>> On Thu, Feb 17, 2022 at 3:33 AM Winthrop Yu via
>>> Chapter-delegates <chapter-delegates at elists.isoc.org> wrote:
>>>
>>> On 17 Feb 2022 10:13 am, Joly MacFie wrote:
>>>
>>>> While I concur with concerns about the transparency, I will
>>>> just say that there is a difference between a breach and a
>>>> detected vulnerability, so let's not get ahead of ourselves.
>>>>
>>> If the vulnerability were unexploited that distinction may
>>> hold. If, as reported by 3rd parties, there is ISOC member
>>> data out there, then clearly there was a breach. In any
>>> case, i believe notification requirements apply, here in our
>>> jurisdiction if not in yours.
>>>
>>>> What does seem odd is the length of time between the
>>>> discovery and the reaction.
>>>>
>>> ISOC HQ told us to expect more information (clarification,
>>> details, etc.), we waited patiently as is proper. Should
>>> chapters have done otherwise -- speak now or forever hold
>>> your peace? :)
>>>
>>>
>>> WYn
>>>
>>>
>>>> On Wed, Feb 16, 2022 at 7:35 PM Winthrop Yu via
>>>> Chapter-delegates <chapter-delegates at elists.isoc.org> wrote:
>>>>
>>>> Olivier, we don't need press releases or "updates".
>>>>
>>>> At the very least, we need:
>>>>
>>>> a) a clear, comprehensive yet concise official
>>>> statement from ISOC HQ regarding the breach.
>>>>
>>>> b) including whether ISOC HQ has notified *all* its
>>>> global members (which would include the individual
>>>> members of chapters).
>>>>
>>>> That above is a bare minimum. Then we will have to
>>>> check that against any obligations the chapter itself
>>>> may have under local law. And we may subsequently need
>>>> further clarification / statements from ISOC HQ.
>>>>
>>>> WYn
>>>>
>>>>
>>>> On 17 Feb 2022 1:45 am, Olivier MJ Crépin-Leblond via
>>>> Chapter-delegates wrote:
>>>>> Am I the only one in Chapter Delegates mailing list
>>>>> who received and read the email from Christine
>>>>> Saegesser explaining the problem with MemberNova and
>>>>> referring to:
>>>>>
>>>>> "As we noted in our prior email, after we learned of
>>>>> the issue, we launched an investigation.
>>>>> The investigation is continuing, and we will provide
>>>>> more details when we have more information to share.
>>>>> Going forward, updates will be posted at
>>>>> updates.internetsociety.org
>>>>> <http://updates.internetsociety.org>, and we encourage
>>>>> you to check there for additional information. The
>>>>> membership password to access this website
>>>>> is ISOC-AMS-Updates (case sensitive)."
>>>>>
>>>>> Or is the problem that there does not appear to have
>>>>> been any updates since 21st January 2021?
>>>>>
>>>>> Kindest regards,
>>>>>
>>>>> Olivier
>>>>>
>>>>>
>>>>> On 16/02/2022 14:54, Veni Markovski via
>>>>> Chapter-delegates wrote:
>>>>>> +1 to the request for more clarity; our members need
>>>>>> to be informed, and I don't want to share on social
>>>>>> media a link to an article on some website. There
>>>>>> should be something at isoc.org <http://isoc.org>,
>>>>>> and in the news section there's only one press
>>>>>> release from 2022 - on February 4.
>>>>>>
>>>>>> Also, it's not a good thing to find out from a
>>>>>> publication about some of the details (I assume not
>>>>>> all of them)...
>>>>>>
>>>>>> v/
>>>>>>
>>>>>> On 2/16/22 04:19, Roland Turner via Chapter-delegates
>>>>>> wrote:
>>>>>>> Andrew,
>>>>>>>
>>>>>>> Could we have a little more clarity on this please?
>>>>>>> Chapter members in multiple jurisdictions may have
>>>>>>> notification obligations arising from this.
>>>>>>>
>>>>>>>
>>>>>>> The Jan 21 <https://updates.internetsociety.org/>
>>>>>>> update states:
>>>>>>>> Fortunately, we have still not seen any instances
>>>>>>>> of malicious access to member data as a result of
>>>>>>>> this issue.
>>>>>>>
>>>>>>> This appears a little unclear to me on two important
>>>>>>> fronts:
>>>>>>>
>>>>>>> *"have not seen"*
>>>>>>>
>>>>>>> An adversarial read of this is the rather horrifying
>>>>>>> idea that access logging was not turned on, so you
>>>>>>> (and MemberNet) haven't the faintest idea whether
>>>>>>> there were any unauthorised accesses, which would
>>>>>>> certainly allow you say that you hadn't seen any
>>>>>>> unauthorised accesses but wouldn't mean that there
>>>>>>> weren't any, even at a reasonable level of
>>>>>>> confidence. Hopefully this is not the case!
>>>>>>>
>>>>>>> *"malicious access"*
>>>>>>>
>>>>>>> The relevant question is not whether any accesses
>>>>>>> could be described as malicious, but simply whether
>>>>>>> they were unauthorised. An adversarial read of this
>>>>>>> is that there were unauthorised accesses, but
>>>>>>> because you don't have much information about the
>>>>>>> unauthorised accessers you not in a position to say
>>>>>>> that they were acting maliciously, however this
>>>>>>> would tell us nothing about whether there had been
>>>>>>> unauthorised access. Again, hopefully this is not
>>>>>>> the case!
>>>>>>>
>>>>>>>
>>>>>>> To address both concerns, are you able to confirm that:
>>>>>>>
>>>>>>> 1. access logging was turned on and the logs were
>>>>>>> successfully secured;
>>>>>>> 2. the logs appear to be complete (in this case
>>>>>>> "appear to" is fine; the requirement is simply
>>>>>>> that there are no unexplained gaps); and
>>>>>>> 3. all logged accesses are authorised (i.e. because
>>>>>>> they were made by the application server, not
>>>>>>> random external IP addresses)
>>>>>>>
>>>>>>> ?
>>>>>>>
>>>>>>>
>>>>>>> - Roland
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>>
>>>>>>> On 16/2/22 15:41, Hank Nussbacher via
>>>>>>> Chapter-delegates wrote:
>>>>>>>> In case you missed it:
>>>>>>>>
>>>>>>>> https://www.infosecurity-magazine.com/news/internet-society-data-leaked/
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Hank
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>
>>> _______________________________________________
>>> As an Internet Society Chapter Officer you are automatically
>>> subscribed
>>> to this list, which is regularly synchronized with the
>>> Internet Society Chapter Portal (AMS):
>>> https://admin.internetsociety.org/622619/User/Login
>>> View the Internet Society Code of Conduct:
>>> https://www.internetsociety.org/become-a-member/code-of-conduct/
>>>
>>>
>>>
>>> --
>>> --------------------------------------
>>> Joly MacFie +12185659365
>>> --------------------------------------
>>> -
>>>
>>> _______________________________________________
>>> As an Internet Society Chapter Officer you are automatically subscribed
>>> to this list, which is regularly synchronized with the Internet Society Chapter Portal (AMS):
>>> https://admin.internetsociety.org/622619/User/Login
>>> View the Internet Society Code of Conduct:https://www.internetsociety.org/become-a-member/code-of-conduct/
>>
>>
>> _______________________________________________
>> As an Internet Society Chapter Officer you are automatically
>> subscribed
>> to this list, which is regularly synchronized with the Internet
>> Society Chapter Portal (AMS):
>> https://admin.internetsociety.org/622619/User/Login
>> View the Internet Society Code of Conduct:
>> https://www.internetsociety.org/become-a-member/code-of-conduct/
>>
>>
>>
>> --
>> --------------------------------------
>> Joly MacFie +12185659365
>> --------------------------------------
>> -
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://elists.isoc.org/mailman/private/chapter-delegates/attachments/20220218/c9090e3b/attachment.htm>
More information about the Chapter-delegates
mailing list