Heartbleed Bug: A Musician’s Guide To The Web’s Biggest Security Threat
Ideally you’ve already heard of Heartbleed and are acting accordingly. If not, you need to know that a “crypto bug” in OpenSSL has been identified that, if exploited, “allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.” Yeah, yeah, sounds scary but what’s a musician to do? It’s time to start changing passwords on such services as SoundCloud, Gmail, Tumblr and Facebook. Then be prepared to repeat the process.
What Is This Heartbleed Bug?
The Heartbleed Bug is real and the stories of its exploits will only come after it’s too late to protect yourself.
Here’s what the researchers say:
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
This understated delivery is balanced out by security researchers such as Bruce Schneier who describes Heartbleed as a “catastrophic bug“:
“On the scale of 1 to 10, this is an 11.”
More background and technical stuff for those so inclined:
Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping
Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
What’s A Musician To Do?
Services for which you should definitely change your password include Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo Email, Amazon Web Services, GoDaddy, Intuit/TurboTax, Dropbox, SoundCloud
If the answer is “Unclear” then definitely change it for that service too such as Pinterest, Apple and Twitter.
You can also check your server for Heartbleed.
If you have old accounts for online services now’s a good time to start ditching them even if they weren’t affected.
Be Prepared To Repeat The Process…More Than Once
“If you reset your password now on a website that is still vulnerable, you’re probably wasting your time. After all, a hacker could theoretically read the new password from a vulnerable computer’s memory as you were resetting it. And there are scripts out there now, that make it pretty easy to get a memory dump from a vulnerable server. But, two days after its public disclosure, most banks and most responsible web sites have made the update. Facebok is patched. So is Microsoft.”
But the threat isn’t over that easy:
“The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies.”
Welcome to the future. Now suck it up and go change those passwords.
Bonus:
Hypebot Senior Contributor Clyde Smith (@fluxresearch) posts music crowdfunding news @CrowdfundingM. To suggest topics about music tech, DIY music biz or music marketing for Hypebot, contact: clyde(at)fluxresearch(dot)com.
“Services for which you should definitely change your password include Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo Email, Amazon Web Services, GoDaddy, Intuit/TurboTax, Dropbox, SoundCloud”
so thats basically every single web service in the world then ?
this wouldn’t be fear-mongering at all would it ???