Many mainstream news outlets offered advice on dealing with the Heartbleed bug – some misleading. This week, a spoof video has finally cut to the heart of the matter, and offered the worst advice imaginable on how to deal with the bug.
The Heartbleed bug has provoked a tide of bad security advice, the like of which has rarely been seen in human history – as mainstream media outlets raced to provide Heartbleed advice simple enough for readers, but only vaguely related to the story at hand.
This week, a spoof video has finally cut to the heart of the matter, and offered the worst advice imaginable on how to deal with the bug – much of it resembling real Heartbleed advice doled out by TV stations and newspapers.
Created by online comedians Slacktory, it manages to outpace even the awful Heartbleed advice offered by should-know-better sites such as Tumblr (theirs is below). Slacktory offer gems such as, “Always use a secure password. Our research indicates that the most secure password is seven, LK in capitals and a pound sign, then the number 3. Ideally, everyone should be using it.”
The advice goes on to get even worse – delivered by a deadpan ‘expert’ in a convincingly serious tone. The best way to appreciate it, of course, is to watch. “Don’t visit suspicious-looking sites – if you accidentally do, contact your ISP and asked them to delete your history,” he says.
In the wake of reports of the bug, the internet flooded with advice on how to deal with it – much of which was, sadly, very bad indeed.
Other sites urged users to change passwords – or advised them to stay off the internet altogether.
ESET Senior Research Fellow David Harley offers advice on how to deal with the problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory.
“However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011.
“While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”