Attacks/Breaches
8/4/2011
05:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Pwnie Award Highlights: Sony Epic Fail And More

Stuxnet another winner at the annual Pwnie Awards, which honor the security world's achievements, failures, and musical talents.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's official: Sony has bagged the Pwnie award for "Most Epic Fail."

That honor was bestowed upon the consumer electronics giant at the Pwnie Awards 2011 event on Wednesday at the Black Hat conference, a UBM TechWeb event, in Las Vegas.

Every year, the Pwnies (rhymes with "ponies") honor "the achievements and failures of security researchers and the security community," according to the Pwnie Awards organizers. Nominations are open to the public. Award winners receive a My Little Pony, spray-painted in gold, though not all winners come forward to collect their award.

Sony was a shoe-in for "Most Epic Fail," as the company had been nominated five times, not least for laying off numerous information security personnel just months before suffering a crippling series of cyber attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, amongst other Sony websites. Furthermore, it was the only nominee.

"Is anyone from LulzSec here to accept it on their behalf?" said Dino Dai Zovi, one of the eight people who judged the nominations. "LulzSec, please don't hack us."

Dai Zovi also offered a legal disclaimer for the awards: "We want to make sure that for some of these categories, we're not condoning this type of behavior, but recognizing its significance. Because nothing works more awesome than giving everything your 110%, soaring on your dreams, and making your failing even more epic."

On a related note, the Pwnie award for best song went to Geohot, for The Light It Up Contest, his rap about Sony, which launches with the following challenge: "Let's take this out of the courtroom and into the streets, I'm a beast, at the least, you'll face me in the northeast."

In the words of Pwnie judge Dave Aitel, "he's so talented, and so white." Geohot, aka George Hotz, was one of numerous people sued by Sony for allegedly distributing information about how to jailbreak the PS3. According to the Pwnie website, "There is strangely enough a long tradition of hacker-written songs and raps."

RSA won the "Lamest Vendor Response" award, for the SecurID hack, which judge HD Moore summarized as, "Hey, someone may have taken all the secure keys for the thing that forms the name of our company." He said the award was bestowed in particular for "the lack of information available, the fact that it was drawn out for so long, and that they lost the keys to their kingdom, and they're still around."

"If we have a rep from RSA here, feel free to come up and pick up your awesome Pony. We know you're here, there's 16 of you here, we counted. Send out the intern," said Moore. Perhaps predictably, no audience members advanced to the podium. "We'll find you later," he said.

Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR).

Other awards went to security researcher Tarjei Mandt for "Best Privilege Escalation Bug," for discovering Windows kernel win32k user-mode callback vulnerabilities. Comex won the Pwnie for "Best Client-Side Bug" for an attack that bypasses ASLR protection in iOS and exploits a kernel vulnerability to execute arbitrary code in the kernel and disable code signing, and which can be used to jailbreak iOS devices.

In addition, Piotr Bania won the Pwnie for most innovative research for taking a document containing recommendations for improving Windows security, using static analysis on Windows, then implementing many of these fixes in the Windows kernel. "He managed to rewrite all the kernel drivers in Windows to include these protections, without crashing them," said judge Alexander Sotirov.

But perhaps the most eagerly awaited award, however, was in the category of "Epic 0wnage." Nominees included Anonymous "for hacking HBGary Federal," LulzSec "for hacking everyone," as well as Bradley Manning and WikiLeaks--the latter nomination earning a loud, extended round of applause as it was read out. But the winner was Stuxnet, described by the Pwnie judge Mark Dowd as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities. We suspect Belgium."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:50:00 PM
re: Pwnie Award Highlights: Sony Epic Fail And More
I love it. Some nobody named Piotr can fix a complete set of critical Windows mistakes. For free. While hundreds of overpaid coders at MS ask, "How'd he do that?"

Reminds me of the endless problems MS had trying to figure out how to add tabs to their browser, years after Firefox had them. Now you know why it took them so long.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.