3. Who
Am
I?
• Manager,
Security
Policy
-‐
.nz
DNC
• Chair
–
NZITF
4. What
is
the
NZITF?
The
New
Zealand
Internet
Task
Force
is
a
non-‐
profit
with
the
mission
of
improving
the
cyber
security
posture
of
New
Zealand
It
is
a
collabora@ve
effort
based
on
mutual
trust
of
it’s
members
5. April
7th
2014
–
What
happened
• Note
–
it
was
already
April
8th
in
NZ
• An
NZITF
member
posts
to
our
list
–
‘hey
-‐
is
this
a
thing?’
• And
then
the
interna7onal
media
and
mailing
lists
start
to
‘light
up’
• On
and
off
list
discussion……
6. Later
that
day…..
•
Gov’t
agency
–
“we
are
assessing
it
now”
(We
are
from
the
Government
and
we’re
here
to
help)
• Then………
7. 24
hours
later…
• Morning
of
April
9th
in
NZ
–
s7ll
nothing
from
Gov’t
or
(surprisingly)
any
local
media
a_en7on
• NZITF
Board
member
(eventually)
says
this
is
F*$%#D
–
we
have
to
stand
up
a
response
8. NZITF
Gets
Busy……
• Plough
through
what
is
out
there
• Open
a
conf
call
to
get
members
involved
and
assess
the
scale
etc
• Use
member’s
media/comms
teams
to
alert
the
Media
(but
manage
their
story)
• Get
the
right
(simple)
advice
out
• Establish
that
the
NZITF
site
is
the
defini7ve
source
for
NZ
on
this
9.
10. Test
page
and
scanning
• Get
our
own
Test
page
up
and
start
scanning
for
unpatched
sites
in
NZ…….
• STOP……..
11. Sec@on
252
-‐
Accessing
computer
system
without
authorisa@on
Every
one
is
liable
to
imprisonment
for
a
term
not
exceeding
2
years
who
inten7onally
accesses,
directly
or
indirectly,
any
computer
system
without
authorisa7on,
knowing
that
he
or
she
is
not
authorised
to
access
that
computer
system,
or
being
reckless
as
to
whether
or
not
he
or
she
is
authorised
to
access
that
computer
system.
12. Avoiding
Jail….
• Linked
to
Qualys
Test
• Shared
details
about
who
had
patched
• Follow
up
advice
and
media
• Ongoing
discussion
about
the
law
• One
NZ
MSSP
stated
that
within
first
48
hours
40%
of
their
customer
base
had
been
scanned
for
Heartbleed
13. During
this……
• Tech
company
with
a
large
customer
base:
“First
9me
I
have
ever
been
truly
pleased
about
being
a
MicrosoA
stack
company”
“we
will
publish
a
“we
were
not
affected”
statement”
………..some9me
later…….
• Where’s
your
‘not
affected’
statement?
“I
just
finished
checking
with
our
vendors
and
suppliers!”
14. So
much
Heartbleed!
• Open
SSL
everywhere
and
these
are
the
first
guys
to
do
a
decent
code
review……..