Feeds

back to article Commonwealth Bank in comedy Heartbleed blog FAIL

An attempt by Australia's Commonwealth Bank to reassure customers that they would not be harmed by the Heartbleed vulnerability has backfired spectacularly after tech-savvy customers made mincemeat out of a badly worded blog post. A bank representative blogged: “I’m happy to report that our customers can rest assured we are …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Surprise!

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

People need to give themselves a shake and stop using MS products!

Hey, they run on IIS, it's a legitimate comment!!!!

1
52
Vic
Silver badge

Re: Surprise!

> Hey, they run on IIS, it's a legitimate comment!!!!

Netcraft seems to think they run on Linux.

From the look of the version number, they're running RHEL5, which has never been vulnerable to the Heartbleed bug.

Still, quite a monumentally stupid declaration from the bank...

Vic.

18
0
Anonymous Coward

Re: Surprise!

It'd be good if they *did* run on IIS - that's not affected (that we know of).

5
2
Bronze badge

Re: Surprise!

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

Looks like we got ourselves another Anonymous Coward Troll -

https://www.google.co.uk/search?q=Why+is+it+that+when+we+see+the+word+%22exploit%22+or+the+phrase+%22security+problems/issues%22,+the+article+is+always+about+Microsoft.+site:forums.theregister.co.uk&biw=800&bih=506

7
1
Silver badge

Re: Surprise!

Hey, is that you Eden? We've missed you round these parts...

4
1

This post has been deleted by its author

Anonymous Coward

Re: Surprise!

IIS has been one of the most secure web servers for the last several years. No vulnerabilities at all in the last year, whilst both Nginx and Apache have had to patch holes in March. Hence presumably why IIS is now used by a third of the world's websites.

4
4
Silver badge

Re: Surprise!

>why IIS is now used by a third of the world's websites.

Wow I guess Microsoft is counting dev and test machines with IIS installed now then based on those numbers. Golf clap to them. Still I will be the first to admit they have came a very long way security wise in the last decade. Especially with the legacy garbage they started with.

1
1
Silver badge

Re: Surprise!

"Why is it that when we see the word "exploit" . . ."

Because you're an idiot.

1
0
Bronze badge
Paris Hilton

IIS - not affected

Is that because it doesn't need to be, or what?

0
0
Bronze badge

Re: IIS - not affected

Is that because it doesn't need to be, or what?

It's because Microsoft has its own SSL/TLS stack (SChannel, part of SSPI). Microsoft products don't use OpenSSL.

This is a vulnerability in a specific implementation of TLS. It is not a vulnerability in the TLS protocol, or in a cipher suite, which might affect multiple implementations. So it's not like the BEAST, CRIME, Lucky Thirteen, or RC4 attacks of recent memory.

IIS is not affected by Heartbleed for the same reason it wasn't affected by the Apple key-substitution bug or the GnuTLS "we skipped verifying the certificates and don't test our code" bug.

2
0

Foot, meet bullet

A bit like Starbucks announcing that it has added cyanide antidote to all its coffee...

10
0
Silver badge
Joke

Re: Foot, meet bullet

Or like Starbucks announcing that there are absolutely no rat-droppings

in their coffee...

14
0

Re: Foot, meet bullet

Except at ;least then they would have *done* something... all the statement ever needed was to say "We are not affected by the heartbleed vulnerability"

I like a twitter post that points out that "Drew Unsworth" from the bank has "been working in online since the days before the internet and is a passionate early adopter."

https://www.commbank.com.au/blog/authors/drew-unsworth.html?ei=autag_aul

4
0
Gold badge
Devil

Re: Foot, meet bullet

Or like Starbucks announcing that there are absolutely no rat-droppings in their coffee...

Starbucks serve coffee?!?!

15
0

Re: Foot, meet bullet

All it says is that any coffee they happen to serve will not contain rat-droppings...

6
0
Silver badge

Re: Foot, meet bullet

No worse - it says we are changing our system to stop rat droppings in future.

That's what worries people.

10
0

Re: Foot, meet bullet

That'll get them thinking...

http://www.montypython.net/scripts/irritate-airline.php

0
0
Joke

Re: Foot, meet bullet@Rob Carriere

"All it says is that any rat-droppings they happen to serve might not contain coffee..."

There, FTFY!

6
1

This post has been deleted by its author

Re: Foot, meet bullet

Or like Starbucks announcing that there are absolutely no rat-droppings

in their coffee...

One word for you: civet.

http://en.wikipedia.org/wiki/Kopi_Luwak

1
0
Anonymous Coward

one good thing about Heartbleed ...

it's a quick way to tell who knows what they are talking about (very few, so far, IME).

4
0

Re: one good thing about Heartbleed ...

Press releases are not made by the IT folks.....they probably had to simplify their responses for the marketing team and rightly so, it's not their sphere of expertise - I'm not having a go at the marketing folks. As a result I wouldn't expect the marketing team to know the answer without referring back to IT

0
0
Bronze badge

Re: one good thing about Heartbleed ...

What do you expect when there is a PR shield in the way, they probably thought they could get acused of something and changed it to it.

0
0

At least they're not emailing world + dog to crow about their "security"

I've already had an email from someone I last did business with in 2008 asking me to change the password for an account that never existed and another from a certificate-issuer I haven't dealt with since 2004 suggesting a buy a new one as the long-expired cert might have been compromised.

So far it's just the incompetents and opportunists - I presume the criminals won't be far behind.

0
0
Silver badge
FAIL

I loved the front page news article from Cater Allen Bank (part of Santander):

"A number of news agencies and websites are currently reporting about the discovery of the 'Heartbleed Bug', a virus within software which is used by hackers as a way of compromising online security."

A virus. VIRUS. FFS.

18
0

RE: A virus. VIRUS. FFS.

Yes, the only major virus that I can see any evidence of at the moment is the highly contagious 'Utter Stupidity Bug'...

9
0
Anonymous Coward

I've been thinking of ditching Santander on account of their low online security. Haven't found a bank with strong online security yet, however. I'm talking encryption, here. Or pretend encryption. Bnuhc fo kefcrus.

1
1
Silver badge

I recently opened an account with Santander. I now how something like eight passwords I have to keep track of for this one account. (Plus they can send me OTPs to my mobile too.)

Do I really need eight passwords?!?

1
1
Bronze badge

Try HSBC, trusted by drug rings, black markets, rogue states and terrorists for well over a decade. They may be evil, but they don't fuck over their customers (At least not as much as other banks) and seem to be immune from the NSA, CIA, MI*, GCHQ, FSB, et al.

0
1
Coat

Yeah, well, pedents everywhere

We put a "we were not impacted by heartbleed" and even this wasn't specific enough - we of course meant that we weren't using openssl, but one client jumped on this to exclaim "How do you know you weren't impacted? It could have happened without you knowing!".

He's right of course. But so were we.

I'm off to the pub.

8
0

Re: Yeah, well, pedents everywhere

I'm just not going to tell him he's spelt pedants wrong in case he did so facetiously, no way , no sirree - y'all just move along there - nothing to see here...

6
0

This was tweeted about 5hrs ago:

CommBank ‏@CommBank 5h

NetBank does not (and did not) use OpenSSL. All customer data is safe. More detail here: https://www.commbank.com.au/blog/what-you-need-to-know-about-heartbleed.html?ei=r1_ta_c1_al …

1
0
Vic
Silver badge

> NetBank does not (and did not) use OpenSSL

Assuming than NetBank and Commbank are the same entity...

...how on earth are they serving https from Apache 2.2.3 on Red Hat Linux without using OpenSSL?

VIc.

3
0

Re: Apache & OpenSSL

They *could* have been using GnuTLS instead, but considering the extra work involved in doing that as opposed to installing the distro packages, that would be extremely unlikely.

The state of open source SSL libraries is a pretty sad affair right now. OpenSSL is the "defacto" standard mainly because it's been around for so long, but the code is so big and cumbersome, there's not a single person that knows everything about it (or probably even a large percentage). GnuTLS isn't really much better. I've read on some sites where developers dislike the GnuTLS code just as much (if not more) than OpenSSL.

Debian uses GnuTLS for some services (OpenLDAP is the first to come to mind), but they did that because of the licensing issues with OpenSSL (GnuTLS is LGPL).

1
0

NSS instantly springs to mind, with mod_nss. CyaSSL, PolarSSL (not for Apache, runs on Hiawatha).

0
0
Bronze badge

Assuming you believe him

>NetBank does not (and did not) use OpenSSL

No indication that he has anything more than a vague idea what is going on, as indicated by his repeated use of the word 'patched', in conjunction with his claim 'never used'.

Since he doesn't seem to know what he is talking about, that could possibly include "we never used the vulnerable versions of OpenSSL"

I'm not a member of LinkedIn. Does it show what his first degree was?

0
0
Bronze badge

Re: Apache & OpenSSL

GnuTLS isn't really much better

Understatement of the year. I've spent a lot more time in the bowels of the OpenSSL sources (an apt metaphor) than in the GnuTLS code, but from what I've seen, GnuTLS is worse.

0
0
Bronze badge

>NetBank does not (and did not) use OpenSS

But I think that CommBiz (which is different to Netbank) goes to https://www.my.commbiz.commbank.com.au/.

And Qualys was reporting that the Commonwealth bank had a susceptibility -- now fixed.

0
0
Silver badge

.how on earth are they serving https from Apache 2.2.3 on Red Hat Linux without using OpenSSL?

Maybe they use RHEL/Apache as a reverse proxy to a bunch of IIS servers running the actual web code?

It's a fairly typical scenario and often fools sites like netcraft into thinking the site is running on apache.

0
0
Silver badge

I don't know if I had received a slightly reworded version of the email, or during english classes at school, I was actually paying attention.

The message *I* read was clear in that the regular CommBank informational website *was* susceptible, but since patched, but the NetBank backend was NOT susceptible, so not applicable for fixes, thus passwords did not have to be changed.

0
0
Bronze badge

Commonwealth bank down today!

Massive failure of their EFTPOS system today. Maybe unrelated. An outside chance that they stuffed up changing their key certificates (as some other people have already stuffed up)-- I'm watching with interest.

0
0
Bronze badge
Joke

Re: Commonwealth bank down today!

Not openssl that was an xp bug.

0
0
Bronze badge

Re: Commonwealth bank down today!

Still stonewalling on what the problem was. Which makes it likely that whatever it was, it was an act of stupidity that caused the outage.

0
0

Commbank and Commsec both down today from 8am Now 10.30am they say back up in 30mins and simply say they are investigating it. Very POOR.

0
0
This topic is closed for new posts.