How Not to Manage Technology PR

Yesterday the Commonwealth Bank's social media team/person got their feet put to the fire over a blog post seeking and failing to detail the bank's response to the heartbleed OpenSSL flaw.  To get across this it's necessary to first go into what heartbleed is.

Up until the 7th of April when the patch was released, assuming the websites you communicate with acted immediately, websites your computer connected to in order to show the page you wanted were missing a "bounds check" in the heartbeat extension to the software that secures your communication.  Bounds checks make sure that information stored in memory is read and written only to a fixed extent, and the lack of one in heartbleed affected sites and applications could be told to read back a section of memory as a security check which was larger than the amount of memory needed to store the check value and subsequently return other stuff in memory stored after it.  Imagine I give you a password which you write on the first page of a paper diary so that if I ring you, you can recite it and I can be sure I'm speaking to you.  I then ring and ask you to confirm your identity by reading the first 100 pages of your diary.  Being obedient and without a proper bounds check, you read the secret password and then continue on leafing through your diary to recite the name of that hot guy or girl at work, your progress towards saving a deposit on a first home, your recipe for tuna and sweet potato risotto and precisely what you think of your mother in law.

The real word tech implications of this are pretty disastrous.  Actual security breaches have occurred and the footprint of the affected software was huge due to its popularity.  A really big deal.

People want to know what this means for their personal safety, and one of the popular (and correct) assumptions is that if ever you entered a username and password into a website which was stored in memory after the bit of memory that the software was authorised to ask for, it may have been revealed to an attacker.  If you've used a website that reported that it has patched the bug, this means that the memory can no longer be erroneously read. What it doesn't mean is you're safe - your password can now be in an Excel spreadsheet being sold on the Silk Road for fifty euros, having been revealed back when the site wasn't patched.  You should change your password if a service admits it has patched the vulnerability.

Enter the social media expertise of the Commonwealth Bank. In a blog post titled What You Need to Know About Heartbleed, they detailed a lot of assurances about how good CBA's staff are at managing security, how nobody needs to worry, but not whether they were;

  1. Not users of OpenSSL, or at least the affected version, and never have been, or
  2. OpenSSL users who have patched it to a version that is not affected, but because passwords may have been revealed users would need to change passwords on CBA services and other services where that password was also used

Ironically for a post titled What You Need to Know About Heartbleed, the post did not tell people what they needed to know about heartbleed.

The reality according to CBA is option 1, but this only came in an update after the social media presence, presumably acting in isolation of IT engineers who could've provided more appropriate answers to customer questions (for example technically plausible and correct ones), repeated the same approved communications points without calling for backup, and after it had long been detailed that the boilerplate nothing to see here wasn't addressing what people by now understood to be a choice between two specific factual circumstances.

From the post in response to one question;

Hi @jamesmacyou do not need to change your NetBank password. We are patched against the Heart Bleed bug. We are dedicated to ensuring our data and that of our customers is safe and secure. We take matters of security very seriously and our security teams are always up to date with all of the latest security developments so that we can continually strengthen the protections we have in place.

Then in response to another;

Hi @ac3we are patched against the Heart Bleed bug. We are dedicated to ensuring our data and that of our customers is safe and secure. Our security teams constantly monitor and stay abreast of the latest security technologies and updates, and we continually strengthen the protections we have in place.

And another

Hi @Nathanyou can use NetBank and our websites with confidence. You do not need to change your NetBank password and we are patched against the Heart Bleed bug. We take matters of security very seriously and our security teams are always up to date with all of the latest security developments so that we can continually strengthen the protections we have in place.

And so it goes on with increasingly terse and outraged comments demanding that the moderator provide which of the two circumstances are applicable in which people can actually be assured or use with confidence or whichever other positive emotions suit.

User Nathan summed it up;

Please answer cammac's and ChadNash's questions properly.Your current responses to both of them completely ignored the key issue they raised. Simply repeating "we are patched" doesn't help, quite the reverse: it implies you have been vulnerable up until this week when the patch was released.

No demands for further information were met until the blog post was updated in its entirety, long after it's safe to assume that the social media, public relations, communications and marketing staff finally went to an engineer and asked for the facts of the issue.  CBA has suffered widespread outages today directly after the social media heat.  Whether that's incidental or whether they weren't completely transparent and the outages are associated with remediation work for heartbleed is unclear and it's likely that it'll remain that way.

Managing technology security risks for a major financial institution in 2014 is like patting a baby to sleep. Your soothing words and assurances that everything is OK only work if the baby isn't sitting in stink.  If it is, you need to fix the technical issues before the lullaby is going to get you a moment's respite. This is because while cooing is a valuable enough skill it's only useful in the specific set of circumstances where there is no clear evidence that everything is not OK.  Ignore evidence of disaster that the baby knows about and focus on positive messaging and you'll get constant wailing and perhaps more stink until you address it.

Hopefully the next time a vexing flaw is discovered in a pervasively used piece of security software, Commbank will remember that, the memory underscored by the lesson it had to learn this time.  Remember to use sanitiser gel on your hands guys.

Image:  CarbonNYC