FRI. NEWS BRIEF: Rock Hall Induction, Labels Sue Kim Dotcom,, Amazon Streaming & More
Artist Marketing Platform Zankme Shuts Down

Heartbleed Bug: A Musician's Guide To The Web's Biggest Security Threat

Heartbleed-bug-logoIdeally you've already heard of Heartbleed and are acting accordingly. If not, you need to know that a "crypto bug" in OpenSSL has been identified that, if exploited, "allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users." Yeah, yeah, sounds scary but what's a musician to do? It's time to start changing passwords on such services as SoundCloud, Gmail, Tumblr and Facebook. Then be prepared to repeat the process.

What Is This Heartbleed Bug?

The Heartbleed Bug is real and the stories of its exploits will only come after it's too late to protect yourself.

Here's what the researchers say:

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

This understated delivery is balanced out by security researchers such as Bruce Schneier who describes Heartbleed as a "catastrophic bug":

"On the scale of 1 to 10, this is an 11."

More background and technical stuff for those so inclined:

Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

What's A Musician To Do?

Mashable has a list of popular web services and how they're affected including info on whether or not you need to change your password.

Services for which you should definitely change your password include Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo Email, Amazon Web Services, GoDaddy, Intuit/TurboTax, Dropbox, SoundCloud

If the answer is "Unclear" then definitely change it for that service too such as Pinterest, Apple and Twitter.

You can also check your server for Heartbleed.

If you have old accounts for online services now's a good time to start ditching them even if they weren't affected.

Be Prepared To Repeat The Process...More Than Once

Keep this in mind:

"If you reset your password now on a website that is still vulnerable, you’re probably wasting your time. After all, a hacker could theoretically read the new password from a vulnerable computer’s memory as you were resetting it. And there are scripts out there now, that make it pretty easy to get a memory dump from a vulnerable server. But, two days after its public disclosure, most banks and most responsible web sites have made the update. Facebok is patched. So is Microsoft."

But the threat isn't over that easy:

"The researchers, who work at Google and software security firm Codenomicon, said even after vulnerable websites install the OpenSSL patch, they may still remain vulnerable to attacks. The risk stems from the possibility that attackers already exploited the vulnerability to recover the private key of the digital certificate, passwords used to administer the sites, or authentication cookies and similar credentials used to validate users to restricted parts of a website. Fully recovering from the two-year-long vulnerability may also require revoking any exposed keys, reissuing new keys, and invalidating all session keys and session cookies."

Welcome to the future. Now suck it up and go change those passwords.


Hypebot Senior Contributor Clyde Smith (@fluxresearch) posts music crowdfunding news @CrowdfundingM. To suggest topics about music tech, DIY music biz or music marketing for Hypebot, contact: clyde(at)fluxresearch(dot)com.