Attacks/Breaches
8/4/2011
05:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Pwnie Award Highlights: Sony Epic Fail And More

Stuxnet another winner at the annual Pwnie Awards, which honor the security world's achievements, failures, and musical talents.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's official: Sony has bagged the Pwnie award for "Most Epic Fail."

That honor was bestowed upon the consumer electronics giant at the Pwnie Awards 2011 event on Wednesday at the Black Hat conference, a UBM TechWeb event, in Las Vegas.

Every year, the Pwnies (rhymes with "ponies") honor "the achievements and failures of security researchers and the security community," according to the Pwnie Awards organizers. Nominations are open to the public. Award winners receive a My Little Pony, spray-painted in gold, though not all winners come forward to collect their award.

Sony was a shoe-in for "Most Epic Fail," as the company had been nominated five times, not least for laying off numerous information security personnel just months before suffering a crippling series of cyber attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, amongst other Sony websites. Furthermore, it was the only nominee.

"Is anyone from LulzSec here to accept it on their behalf?" said Dino Dai Zovi, one of the eight people who judged the nominations. "LulzSec, please don't hack us."

Dai Zovi also offered a legal disclaimer for the awards: "We want to make sure that for some of these categories, we're not condoning this type of behavior, but recognizing its significance. Because nothing works more awesome than giving everything your 110%, soaring on your dreams, and making your failing even more epic."

On a related note, the Pwnie award for best song went to Geohot, for The Light It Up Contest, his rap about Sony, which launches with the following challenge: "Let's take this out of the courtroom and into the streets, I'm a beast, at the least, you'll face me in the northeast."

In the words of Pwnie judge Dave Aitel, "he's so talented, and so white." Geohot, aka George Hotz, was one of numerous people sued by Sony for allegedly distributing information about how to jailbreak the PS3. According to the Pwnie website, "There is strangely enough a long tradition of hacker-written songs and raps."

RSA won the "Lamest Vendor Response" award, for the SecurID hack, which judge HD Moore summarized as, "Hey, someone may have taken all the secure keys for the thing that forms the name of our company." He said the award was bestowed in particular for "the lack of information available, the fact that it was drawn out for so long, and that they lost the keys to their kingdom, and they're still around."

"If we have a rep from RSA here, feel free to come up and pick up your awesome Pony. We know you're here, there's 16 of you here, we counted. Send out the intern," said Moore. Perhaps predictably, no audience members advanced to the podium. "We'll find you later," he said.

Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR).

Other awards went to security researcher Tarjei Mandt for "Best Privilege Escalation Bug," for discovering Windows kernel win32k user-mode callback vulnerabilities. Comex won the Pwnie for "Best Client-Side Bug" for an attack that bypasses ASLR protection in iOS and exploits a kernel vulnerability to execute arbitrary code in the kernel and disable code signing, and which can be used to jailbreak iOS devices.

In addition, Piotr Bania won the Pwnie for most innovative research for taking a document containing recommendations for improving Windows security, using static analysis on Windows, then implementing many of these fixes in the Windows kernel. "He managed to rewrite all the kernel drivers in Windows to include these protections, without crashing them," said judge Alexander Sotirov.

But perhaps the most eagerly awaited award, however, was in the category of "Epic 0wnage." Nominees included Anonymous "for hacking HBGary Federal," LulzSec "for hacking everyone," as well as Bradley Manning and WikiLeaks--the latter nomination earning a loud, extended round of applause as it was read out. But the winner was Stuxnet, described by the Pwnie judge Mark Dowd as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities. We suspect Belgium."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:50:00 PM
re: Pwnie Award Highlights: Sony Epic Fail And More
I love it. Some nobody named Piotr can fix a complete set of critical Windows mistakes. For free. While hundreds of overpaid coders at MS ask, "How'd he do that?"

Reminds me of the endless problems MS had trying to figure out how to add tabs to their browser, years after Firefox had them. Now you know why it took them so long.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.