The good news: you’ve been safe when shopping at musiciansfriend.com all along
A cyber security bug has recently been found in OpenSSL, an encryption standard used by many websites to protect personal and financial information. Hackers familiar with how the standard works have been potentially able to intercept information such as passwords, user names, and other private data. This vulnerability raises a lot of concerns since the bug has been in place for more than two years and has impacted some of the Internet’s largest businesses.
How it works
The Heartbleed bug allows hackers to steal the encryption keys that enable intercepted data to be decoded and read. Using these keys, cyber thieves can potentially stealthily intercept secure data being transmitted between users and website servers without having to establish secure connection themselves.
Web security firm Codenomicon has issued a report detailing how the bug can be exploited and what steps should be taken by websites to eliminate future risks. A bug fix has been issued and is being widely implemented. The company’s take on the state of affairs is quite ominous:
Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
Has your data been compromised?
Given the scope of the Heartbleed bug, it’s quite likely that some of your private data is or has been at risk. As Codenomicon puts it:
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.
The good news for Musician’s Friend customers
The Musician’s Friend IT department has determined that the version of OpenSSL used on its servers does NOT have the Heartbleed bug vulnerability, and hence your private information has been secure from Heartbleed attacks all along.
How to protect yourself
According to web security experts, it’s probably wise to assume that your online accounts have been compromised. They recommend that you change your passwords, especially on those accounts that have required you to provide personal and financial information. But they also issue a caveat that doing so on sites that still have Heartbleed vulnerability will not help.
Qualys SSL Labs provides a free online tool with which you can test any company’s website to determine its level of encryption security. The Qualys service provides a letter grade assessment of each site’s security.