back to article Commonwealth Bank in comedy Heartbleed blog FAIL

An attempt by Australia's Commonwealth Bank to reassure customers that they would not be harmed by the Heartbleed vulnerability has backfired spectacularly after tech-savvy customers made mincemeat out of a badly worded blog post. A bank representative blogged: “I’m happy to report that our customers can rest assured we are …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    Hey, they run on IIS, it's a legitimate comment!!!!

    1. Vic

      Re: Surprise!

      > Hey, they run on IIS, it's a legitimate comment!!!!

      Netcraft seems to think they run on Linux.

      From the look of the version number, they're running RHEL5, which has never been vulnerable to the Heartbleed bug.

      Still, quite a monumentally stupid declaration from the bank...

      Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      It'd be good if they *did* run on IIS - that's not affected (that we know of).

      1. I. Aproveofitspendingonspecificprojects
        Paris Hilton

        IIS - not affected

        Is that because it doesn't need to be, or what?

        1. Michael Wojcik Silver badge

          Re: IIS - not affected

          Is that because it doesn't need to be, or what?

          It's because Microsoft has its own SSL/TLS stack (SChannel, part of SSPI). Microsoft products don't use OpenSSL.

          This is a vulnerability in a specific implementation of TLS. It is not a vulnerability in the TLS protocol, or in a cipher suite, which might affect multiple implementations. So it's not like the BEAST, CRIME, Lucky Thirteen, or RC4 attacks of recent memory.

          IIS is not affected by Heartbleed for the same reason it wasn't affected by the Apple key-substitution bug or the GnuTLS "we skipped verifying the certificates and don't test our code" bug.

    3. Jason Bloomberg Silver badge

      Re: Surprise!

      Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

      Looks like we got ourselves another Anonymous Coward Troll -

      https://www.google.co.uk/search?q=Why+is+it+that+when+we+see+the+word+%22exploit%22+or+the+phrase+%22security+problems/issues%22,+the+article+is+always+about+Microsoft.+site:forums.theregister.co.uk&biw=800&bih=506

      1. This post has been deleted by its author

    4. A Non e-mouse Silver badge

      Re: Surprise!

      Hey, is that you Eden? We've missed you round these parts...

    5. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      IIS has been one of the most secure web servers for the last several years. No vulnerabilities at all in the last year, whilst both Nginx and Apache have had to patch holes in March. Hence presumably why IIS is now used by a third of the world's websites.

      1. asdf

        Re: Surprise!

        >why IIS is now used by a third of the world's websites.

        Wow I guess Microsoft is counting dev and test machines with IIS installed now then based on those numbers. Golf clap to them. Still I will be the first to admit they have came a very long way security wise in the last decade. Especially with the legacy garbage they started with.

    6. dan1980

      Re: Surprise!

      "Why is it that when we see the word "exploit" . . ."

      Because you're an idiot.

  2. Dick Pountain

    Foot, meet bullet

    A bit like Starbucks announcing that it has added cyanide antidote to all its coffee...

    1. Anonymous Coward
      Joke

      Re: Foot, meet bullet

      Or like Starbucks announcing that there are absolutely no rat-droppings

      in their coffee...

      1. I ain't Spartacus Gold badge
        Devil

        Re: Foot, meet bullet

        Or like Starbucks announcing that there are absolutely no rat-droppings in their coffee...

        Starbucks serve coffee?!?!

        1. Rob Carriere

          Re: Foot, meet bullet

          All it says is that any coffee they happen to serve will not contain rat-droppings...

          1. Yet Another Anonymous coward Silver badge

            Re: Foot, meet bullet

            No worse - it says we are changing our system to stop rat droppings in future.

            That's what worries people.

            1. TheRealRoland

              Re: Foot, meet bullet

              That'll get them thinking...

              http://www.montypython.net/scripts/irritate-airline.php

          2. Kane
            Joke

            Re: Foot, meet bullet@Rob Carriere

            "All it says is that any rat-droppings they happen to serve might not contain coffee..."

            There, FTFY!

      2. This post has been deleted by its author

      3. Barry Rueger

        Re: Foot, meet bullet

        Or like Starbucks announcing that there are absolutely no rat-droppings

        in their coffee...

        One word for you: civet.

        http://en.wikipedia.org/wiki/Kopi_Luwak

    2. Shocker-z

      Re: Foot, meet bullet

      Except at ;least then they would have *done* something... all the statement ever needed was to say "We are not affected by the heartbleed vulnerability"

      I like a twitter post that points out that "Drew Unsworth" from the bank has "been working in online since the days before the internet and is a passionate early adopter."

      https://www.commbank.com.au/blog/authors/drew-unsworth.html?ei=autag_aul

  3. Anonymous Coward
    Anonymous Coward

    one good thing about Heartbleed ...

    it's a quick way to tell who knows what they are talking about (very few, so far, IME).

    1. Infidellic_

      Re: one good thing about Heartbleed ...

      Press releases are not made by the IT folks.....they probably had to simplify their responses for the marketing team and rightly so, it's not their sphere of expertise - I'm not having a go at the marketing folks. As a result I wouldn't expect the marketing team to know the answer without referring back to IT

    2. Captain Scarlet

      Re: one good thing about Heartbleed ...

      What do you expect when there is a PR shield in the way, they probably thought they could get acused of something and changed it to it.

  4. Warm Braw

    At least they're not emailing world + dog to crow about their "security"

    I've already had an email from someone I last did business with in 2008 asking me to change the password for an account that never existed and another from a certificate-issuer I haven't dealt with since 2004 suggesting a buy a new one as the long-expired cert might have been compromised.

    So far it's just the incompetents and opportunists - I presume the criminals won't be far behind.

  5. Velv
    FAIL

    I loved the front page news article from Cater Allen Bank (part of Santander):

    "A number of news agencies and websites are currently reporting about the discovery of the 'Heartbleed Bug', a virus within software which is used by hackers as a way of compromising online security."

    A virus. VIRUS. FFS.

    1. TitterYeNot

      RE: A virus. VIRUS. FFS.

      Yes, the only major virus that I can see any evidence of at the moment is the highly contagious 'Utter Stupidity Bug'...

  6. Anonymous Coward
    Anonymous Coward

    I've been thinking of ditching Santander on account of their low online security. Haven't found a bank with strong online security yet, however. I'm talking encryption, here. Or pretend encryption. Bnuhc fo kefcrus.

    1. A Non e-mouse Silver badge

      I recently opened an account with Santander. I now how something like eight passwords I have to keep track of for this one account. (Plus they can send me OTPs to my mobile too.)

      Do I really need eight passwords?!?

    2. Crazy Operations Guy

      Try HSBC, trusted by drug rings, black markets, rogue states and terrorists for well over a decade. They may be evil, but they don't fuck over their customers (At least not as much as other banks) and seem to be immune from the NSA, CIA, MI*, GCHQ, FSB, et al.

  7. Billa Bong
    Coat

    Yeah, well, pedents everywhere

    We put a "we were not impacted by heartbleed" and even this wasn't specific enough - we of course meant that we weren't using openssl, but one client jumped on this to exclaim "How do you know you weren't impacted? It could have happened without you knowing!".

    He's right of course. But so were we.

    I'm off to the pub.

    1. madmalc

      Re: Yeah, well, pedents everywhere

      I'm just not going to tell him he's spelt pedants wrong in case he did so facetiously, no way , no sirree - y'all just move along there - nothing to see here...

  8. Tempest8008

    This was tweeted about 5hrs ago:

    CommBank ‏@CommBank 5h

    NetBank does not (and did not) use OpenSSL. All customer data is safe. More detail here: https://www.commbank.com.au/blog/what-you-need-to-know-about-heartbleed.html?ei=r1_ta_c1_al …

    1. Vic

      > NetBank does not (and did not) use OpenSSL

      Assuming than NetBank and Commbank are the same entity...

      ...how on earth are they serving https from Apache 2.2.3 on Red Hat Linux without using OpenSSL?

      VIc.

      1. Justin Pasher

        Re: Apache & OpenSSL

        They *could* have been using GnuTLS instead, but considering the extra work involved in doing that as opposed to installing the distro packages, that would be extremely unlikely.

        The state of open source SSL libraries is a pretty sad affair right now. OpenSSL is the "defacto" standard mainly because it's been around for so long, but the code is so big and cumbersome, there's not a single person that knows everything about it (or probably even a large percentage). GnuTLS isn't really much better. I've read on some sites where developers dislike the GnuTLS code just as much (if not more) than OpenSSL.

        Debian uses GnuTLS for some services (OpenLDAP is the first to come to mind), but they did that because of the licensing issues with OpenSSL (GnuTLS is LGPL).

        1. Michael Wojcik Silver badge

          Re: Apache & OpenSSL

          GnuTLS isn't really much better

          Understatement of the year. I've spent a lot more time in the bowels of the OpenSSL sources (an apt metaphor) than in the GnuTLS code, but from what I've seen, GnuTLS is worse.

      2. Trixr

        NSS instantly springs to mind, with mod_nss. CyaSSL, PolarSSL (not for Apache, runs on Hiawatha).

      3. Goat Jam

        .how on earth are they serving https from Apache 2.2.3 on Red Hat Linux without using OpenSSL?

        Maybe they use RHEL/Apache as a reverse proxy to a bunch of IIS servers running the actual web code?

        It's a fairly typical scenario and often fools sites like netcraft into thinking the site is running on apache.

    2. david 12 Silver badge

      Assuming you believe him

      >NetBank does not (and did not) use OpenSSL

      No indication that he has anything more than a vague idea what is going on, as indicated by his repeated use of the word 'patched', in conjunction with his claim 'never used'.

      Since he doesn't seem to know what he is talking about, that could possibly include "we never used the vulnerable versions of OpenSSL"

      I'm not a member of LinkedIn. Does it show what his first degree was?

    3. david 12 Silver badge

      >NetBank does not (and did not) use OpenSS

      But I think that CommBiz (which is different to Netbank) goes to https://www.my.commbiz.commbank.com.au/.

      And Qualys was reporting that the Commonwealth bank had a susceptibility -- now fixed.

  9. John Tserkezis

    I don't know if I had received a slightly reworded version of the email, or during english classes at school, I was actually paying attention.

    The message *I* read was clear in that the regular CommBank informational website *was* susceptible, but since patched, but the NetBank backend was NOT susceptible, so not applicable for fixes, thus passwords did not have to be changed.

  10. david 12 Silver badge

    Commonwealth bank down today!

    Massive failure of their EFTPOS system today. Maybe unrelated. An outside chance that they stuffed up changing their key certificates (as some other people have already stuffed up)-- I'm watching with interest.

    1. sam bo
      Joke

      Re: Commonwealth bank down today!

      Not openssl that was an xp bug.

    2. david 12 Silver badge

      Re: Commonwealth bank down today!

      Still stonewalling on what the problem was. Which makes it likely that whatever it was, it was an act of stupidity that caused the outage.

  11. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like