Apr 9, 2014

Heartbleed reveals a big hole in Australia’s cybersecurity strategy

Now this is a fair dinkum threat to internet security: the Heartbleed bug threatens to impact thousands of websites and the everyday security of internet users. Smaller web users are most vulnerable.

Stilgherrian — Technology writer and broadcaster


Technology writer and broadcaster

Heartbleed, a newly discovered security flaw in the most widely used software for encrypting web traffic, is indeed a “big deal”, as Fairfax and, well, everyone is reporting. It’s a real problem that could affect every Australian’s everyday security online in ways we’re only beginning to understand. Yet our cybersecurity policies focus on esoteric threats like terrorist attacks. Wrong.

More formally known as CVE-2014-0160, its catalogue number in the database of software security vulnerabilities now sponsored by the United States Department of Homeland Security, Heartbleed is a flaw in software called OpenSSL, which is used to encrypt internet traffic — including, typically, the data flows between your computer and a secure website, or between the apps running on your smartphone and the remote computers that provide the services in question.

Free Trial

Proudly annoying those in power since 2000.

Sign up for a FREE 21-day trial to keep reading and get the best of Crikey straight to your inbox

By starting a free trial, you agree to accept Crikey’s terms and conditions


Leave a comment

10 thoughts on “Heartbleed reveals a big hole in Australia’s cybersecurity strategy

  1. paddy

    It’s one scary situation.
    I noticed that The Mail Online (along with some much more reliable sources) had noted that the Commonwealth Bank of Australia was one of the vulnerable sites.
    I rang them this morning and attempted to find out if they’d patched their servers.
    Got no sense out of the frontline staff and asked to speak to the IT dept.
    No joy there either. (I guess they were *extremely* busy!)

    At this stage, I’m wondering if it’s worth changing my password? I’d certainly like to know that the bank’s patched it’s systems before I bother.
    (My acct has not been tampered with….yet.)

  2. gdt

    Heartbleed is the internet equivalent to discovering that the front door locks on two-thirds of Australian businesses could have been opened

    It took Lockwood a long time to add key bumping counter-measures to their 001 deadlatch, so don’t press that analogy too hard or you might just find that the government has no real care for the security of the populace, online or otherwise.

    As for the bug, being able to pull out 64KB of memory adjacent to the certificate is a shocker, especially given the usual “start SSL, then ask for password” flow of execution of many websites.

    Where the government would be useful is in bringing pressure to bear on embedded systems manufacturers. Have you seen even one update for a DSL router yet? Maybe the ACCC can apply pressure via the “merchantable quality” requirements or maybe the government needs to legislate. But if you asked which platforms would still be vulnerable to the bug in a year’s time then most of them will be embedded systems.

    I am not sure what I think about small business and computer security. There’s certainly a major issue there. But it’s not just bugs appearing out of the blue which defeats them. No business should be running Windows Xp today, but as I look around…

    It’s also interesting to explore the use of the bug to create a business opportunity, complete with nice promotional website.

  3. Chris Hartwell

    Far worse @gdt – no government, nor arm of it, should still be running WinXP. Alas…

  4. paddy

    Interesting podcast from Leo Laport & Steve Gibson on Heartbleed here.

  5. ggm

    Not wanting to minimize the risk, as I understand it, the hole has been shown to reveal some data. But only potentially to reveal the big risk data. So, an awful lot of COULD and MAY and POTENTIALLY has to be put back into some of the sentences.

    yes, it shares plaintext memory state across the network link. But, I haven’t yet seen a write up confirming this actually did share the plaintext/binary of the private SSL key of a server.

    the yahoo password/username leak is of course bad. But the ‘reissue your server cert’ thing is mostly (as I have read it) about POTENTIAL risk of keyloss. not actual, confirmed keyloss. I haven’t seen the private key of a server published online anywhere yet. I have seen claims and counterclaims about this. Some say they got their own X509 data. Google says they saw stale buffers only. Perhaps because Google runs popular sites the buffer leak is overwritten rapidly, on a quiet server, more data is preserved

  6. Simon Mansfield

    Just to give some perspective – it took me less than 30 second to fix each at risk server this morning.

    login as root
    at prompt type: yum update openssl
    then enter: “y” to accept update
    then enter: service httpd restart

    Compared to last months root compromise and last years php/mysql hijack and X-rated Trojan download – which both required a full OS reload and a whole host of follow on problems to fix – this was the easiest server security issue to deal with in a long time. As best of all – it did not cause any downtime or cost any money to fix.

    But yes, the 3 dollar starter kit for the Anon script kiddies that BK all to often lauds as tomorrow’s heroes – is going to be a hot seller in the coming days.

  7. Jimmy Harris

    @Paddy – I checked CBA this morning and they had been patched (at least the online URL I get sent to) according to http://filippo.io/Heartbleed/#www1.my.commbank.com.au.

  8. @chrispydog

    Where are they indeed?

    Risk perception is played like a Strad by our political overlords, who are themselves played for mugs by the spook class.

    We end up paying our taxes into this bottomless pit as it methodically hoovers up our privacy.

    At least the bad hackers don’t pretend to be ‘keep you safe’!

  9. @chrispydog


  10. Richard Frost

    In regards to ComBank they have said they have patched the bug and no customers were at risk – but by admitting to have patched the bug means they were exposed – so that would mean all customers now need to change their passwords. I would like to see ComBank take this abit more seriously and be more frank to the public about how exposed they were if they had to patch it – did they have an old OpenSSL version that was safe or a newer one that was broken? Their customers need to know.. Have a look at the comments in their response to their security alert here – its just a constant copy/paste of a PR mantra with no response to the questions being asked: https://www.commbank.com.au/blog/what-you-need-to-know-about-heartbleed.html

Share this article with a friend

Just fill out the fields below and we'll send your friend a link to this article along with a message from you.

Your details

Your friend's details