Attacks/Breaches
8/4/2011
05:06 PM
50%
50%

Pwnie Award Highlights: Sony Epic Fail And More

Stuxnet another winner at the annual Pwnie Awards, which honor the security world's achievements, failures, and musical talents.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's official: Sony has bagged the Pwnie award for "Most Epic Fail."

That honor was bestowed upon the consumer electronics giant at the Pwnie Awards 2011 event on Wednesday at the Black Hat conference, a UBM TechWeb event, in Las Vegas.

Every year, the Pwnies (rhymes with "ponies") honor "the achievements and failures of security researchers and the security community," according to the Pwnie Awards organizers. Nominations are open to the public. Award winners receive a My Little Pony, spray-painted in gold, though not all winners come forward to collect their award.

Sony was a shoe-in for "Most Epic Fail," as the company had been nominated five times, not least for laying off numerous information security personnel just months before suffering a crippling series of cyber attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, amongst other Sony websites. Furthermore, it was the only nominee.

"Is anyone from LulzSec here to accept it on their behalf?" said Dino Dai Zovi, one of the eight people who judged the nominations. "LulzSec, please don't hack us."

Dai Zovi also offered a legal disclaimer for the awards: "We want to make sure that for some of these categories, we're not condoning this type of behavior, but recognizing its significance. Because nothing works more awesome than giving everything your 110%, soaring on your dreams, and making your failing even more epic."

On a related note, the Pwnie award for best song went to Geohot, for The Light It Up Contest, his rap about Sony, which launches with the following challenge: "Let's take this out of the courtroom and into the streets, I'm a beast, at the least, you'll face me in the northeast."

In the words of Pwnie judge Dave Aitel, "he's so talented, and so white." Geohot, aka George Hotz, was one of numerous people sued by Sony for allegedly distributing information about how to jailbreak the PS3. According to the Pwnie website, "There is strangely enough a long tradition of hacker-written songs and raps."

RSA won the "Lamest Vendor Response" award, for the SecurID hack, which judge HD Moore summarized as, "Hey, someone may have taken all the secure keys for the thing that forms the name of our company." He said the award was bestowed in particular for "the lack of information available, the fact that it was drawn out for so long, and that they lost the keys to their kingdom, and they're still around."

"If we have a rep from RSA here, feel free to come up and pick up your awesome Pony. We know you're here, there's 16 of you here, we counted. Send out the intern," said Moore. Perhaps predictably, no audience members advanced to the podium. "We'll find you later," he said.

Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR).

Other awards went to security researcher Tarjei Mandt for "Best Privilege Escalation Bug," for discovering Windows kernel win32k user-mode callback vulnerabilities. Comex won the Pwnie for "Best Client-Side Bug" for an attack that bypasses ASLR protection in iOS and exploits a kernel vulnerability to execute arbitrary code in the kernel and disable code signing, and which can be used to jailbreak iOS devices.

In addition, Piotr Bania won the Pwnie for most innovative research for taking a document containing recommendations for improving Windows security, using static analysis on Windows, then implementing many of these fixes in the Windows kernel. "He managed to rewrite all the kernel drivers in Windows to include these protections, without crashing them," said judge Alexander Sotirov.

But perhaps the most eagerly awaited award, however, was in the category of "Epic 0wnage." Nominees included Anonymous "for hacking HBGary Federal," LulzSec "for hacking everyone," as well as Bradley Manning and WikiLeaks--the latter nomination earning a loud, extended round of applause as it was read out. But the winner was Stuxnet, described by the Pwnie judge Mark Dowd as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities. We suspect Belgium."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:50:00 PM
re: Pwnie Award Highlights: Sony Epic Fail And More
I love it. Some nobody named Piotr can fix a complete set of critical Windows mistakes. For free. While hundreds of overpaid coders at MS ask, "How'd he do that?"

Reminds me of the endless problems MS had trying to figure out how to add tabs to their browser, years after Firefox had them. Now you know why it took them so long.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9676
Published: 2015-02-27
The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free.

CVE-2014-9682
Published: 2015-02-27
The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function.

CVE-2015-0655
Published: 2015-02-27
Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184.

CVE-2015-0884
Published: 2015-02-27
Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character.

CVE-2015-0885
Published: 2015-02-27
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.