Attacks/Breaches
8/4/2011
05:06 PM
50%
50%

Pwnie Award Highlights: Sony Epic Fail And More

Stuxnet another winner at the annual Pwnie Awards, which honor the security world's achievements, failures, and musical talents.

Black Hat
10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's official: Sony has bagged the Pwnie award for "Most Epic Fail."

That honor was bestowed upon the consumer electronics giant at the Pwnie Awards 2011 event on Wednesday at the Black Hat conference, a UBM TechWeb event, in Las Vegas.

Every year, the Pwnies (rhymes with "ponies") honor "the achievements and failures of security researchers and the security community," according to the Pwnie Awards organizers. Nominations are open to the public. Award winners receive a My Little Pony, spray-painted in gold, though not all winners come forward to collect their award.

Sony was a shoe-in for "Most Epic Fail," as the company had been nominated five times, not least for laying off numerous information security personnel just months before suffering a crippling series of cyber attacks that compromised Sony PlayStation Network, Sony Online Entertainment, and Sony Pictures, amongst other Sony websites. Furthermore, it was the only nominee.

"Is anyone from LulzSec here to accept it on their behalf?" said Dino Dai Zovi, one of the eight people who judged the nominations. "LulzSec, please don't hack us."

Dai Zovi also offered a legal disclaimer for the awards: "We want to make sure that for some of these categories, we're not condoning this type of behavior, but recognizing its significance. Because nothing works more awesome than giving everything your 110%, soaring on your dreams, and making your failing even more epic."

On a related note, the Pwnie award for best song went to Geohot, for The Light It Up Contest, his rap about Sony, which launches with the following challenge: "Let's take this out of the courtroom and into the streets, I'm a beast, at the least, you'll face me in the northeast."

In the words of Pwnie judge Dave Aitel, "he's so talented, and so white." Geohot, aka George Hotz, was one of numerous people sued by Sony for allegedly distributing information about how to jailbreak the PS3. According to the Pwnie website, "There is strangely enough a long tradition of hacker-written songs and raps."

RSA won the "Lamest Vendor Response" award, for the SecurID hack, which judge HD Moore summarized as, "Hey, someone may have taken all the secure keys for the thing that forms the name of our company." He said the award was bestowed in particular for "the lack of information available, the fact that it was drawn out for so long, and that they lost the keys to their kingdom, and they're still around."

"If we have a rep from RSA here, feel free to come up and pick up your awesome Pony. We know you're here, there's 16 of you here, we counted. Send out the intern," said Moore. Perhaps predictably, no audience members advanced to the podium. "We'll find you later," he said.

Meanwhile, the lifetime achievement award went to pipacs. "Microsoft today has announced a challenge, giving out $200,000 for work very similar to that that has been done and given away for free by pipacs, a decade ago," said judge Dai Zovi. "All of the operating systems that we use today that have protections against memory trespasses, all of these protection mechanisms can be traced back to the work of pipacs." Microsoft's recently announced prize money for enhancing Windows security, he said, is an extension of the work begun by pipacs, who is perhaps best known for inventing address space layout randomization (ASLR).

Other awards went to security researcher Tarjei Mandt for "Best Privilege Escalation Bug," for discovering Windows kernel win32k user-mode callback vulnerabilities. Comex won the Pwnie for "Best Client-Side Bug" for an attack that bypasses ASLR protection in iOS and exploits a kernel vulnerability to execute arbitrary code in the kernel and disable code signing, and which can be used to jailbreak iOS devices.

In addition, Piotr Bania won the Pwnie for most innovative research for taking a document containing recommendations for improving Windows security, using static analysis on Windows, then implementing many of these fixes in the Windows kernel. "He managed to rewrite all the kernel drivers in Windows to include these protections, without crashing them," said judge Alexander Sotirov.

But perhaps the most eagerly awaited award, however, was in the category of "Epic 0wnage." Nominees included Anonymous "for hacking HBGary Federal," LulzSec "for hacking everyone," as well as Bradley Manning and WikiLeaks--the latter nomination earning a loud, extended round of applause as it was read out. But the winner was Stuxnet, described by the Pwnie judge Mark Dowd as "a non-violent protest against the Iranian nuclear program, allegedly done by a government with some pretty advanced intelligence capabilities. We suspect Belgium."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ChazzMann
50%
50%
ChazzMann,
User Rank: Apprentice
12/3/2011 | 10:50:00 PM
re: Pwnie Award Highlights: Sony Epic Fail And More
I love it. Some nobody named Piotr can fix a complete set of critical Windows mistakes. For free. While hundreds of overpaid coders at MS ask, "How'd he do that?"

Reminds me of the endless problems MS had trying to figure out how to add tabs to their browser, years after Firefox had them. Now you know why it took them so long.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.