informa
/
Attacks/Breaches
Quick Hits

Heartbleed, GotoFail Bring Home Pwnie Awards

The Pwnie Awards celebrate the best bug discoveries and worst security fails.

Black Hat USA — Las Vegas — With nerdy security-themed music, a splash of sequins, and a general attitude of good-natured disorder, the security community celebrated its very best and very worst at the Pwnie Awards, Wednesday evening at the Black Hat conference. The Pwnies are awarded by a panel of security researchers who would no doubt be Pwnie winners themselves if they were eligible to enter: Dino Dai Zovi, Justine Aitel, Mark Dowd, Alexander Sotirov, Brandon Edwards, Christopher Valasek, and HD Moore.

{image 1}

The winners are:

Best Server-Side Bug: (Surprise, surprise) Heartbleed, credited to Neel Mehta and Codenomicon. Heartbleed is perhaps the most famous security trouble of the year, which brought more attention to the many drawbacks of SSL. Although Mehta and Codenomicon were lauded for their work in solving the problem, the open-source community was nominated for the Pwnie for "Most Epic Fail," being that the flaw existed for two years.

Best Client-Side Bug: Google Chrome Arbitrary Memory Read-Write Vulnerability, credited to Geohot. According to the Pwnie organizers, Geohot earned the accolades for "chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory."

Best Privilege Escalation Bug: AFD.sys Dangling Pointer Vulnerability, credited to Sebastian Apelt. As the Pwnie people say, "This exploit is a great example of using a kernel exploit to escape the Internet Explorer 11 sandbox on Windows 8.1."

Most Innovative Research: RSA Key Extract Via Low-Bandwidth Acoustic Cryptanalysis, credited to Daniel Genkin, Adi Shamir, Eran Tromer. "The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts."

Lamest Vendor Response: AVG, saying that a software weakness was "by design" and therefore not a vulnerability. This offense even beat out another nominee: "Daniel" from Open Cert who replied to a researcher's request for the appropriate email address for vulnerability disclosures, with "it was not ignored dick head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!"

Most Epic Fail: Apple GotoFail. The critical "goto fail" SSL flaw in OS X -- caused by a line of C code that says "goto fail" -- could allow attackers to eavesdrop on a target's communications, including emails, FaceTime video conversations, and Find My Mac tracking information. Plus it has "fail" right in the name.

Most Epic 0wnage: Mt. Gox, another example of cryptocurrency risky business. Hackers seized control of the personal blog of Mark Karpeles, CEO of the bankrupt Mt. Gox Bitcoin exchange, accusing him of stealing 100,000 bitcoins.

Best Song: the SSL Smiley Song, by 0xabad1dea. To the tune of "Jingle Bells," in a sweet, breathy voice one might attribute to a grown-up Cindy Lou-Who, she sings "Dashing through the cloud / On a 10 giabit link / One packet in a crowd / Falls into the data sink." Although the songstress herself was not in attendance, her colleague accepted the Pwnie on her behalf and sang "I'm a Little Teapot" in an admirable falsetto as Brandon Edwards danced along. The SSL Smiley Song even beat out a 50 Cent parody celebrating every security pro's favorite certification, "I'm a C I Double-S P."

 

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5