Winners of Pwnie Awards 2008
Watch the 2008 award ceremony:
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Windows IGMP kernel vulnerability (CVE-2007-0069)
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting client-side bug. These days, ‘client’ is pretty much synonymous with ‘web browser’, but don't forget about all the media player integer overflows!
Pwnie for Mass 0wnage
Awarded to the person who discovered the bug that resulted in the most widespread exploitation. Also known as ‘Pwnie for Breaking the Internet.’
An unbelievable number of WordPress vulnerabilities (CVE-2008-*)
It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Lest We Remember: Cold Boot Attacks on Encryption Keys
This paper proved that DRAMs used in most modern computers retain memory contents after powering off, including data like passwords and encryption keys, for much longer than most people believed. The authors developed new techniques for recognizing and recovering encryption keys even after some bits have been lost due to memory decay. The impact of the research was demonstrated with software to break the full disk encryption implementations on Windows, OS X and Linux.
Defeating a VM packer with a decompiler written in OCaml
This work describes an innovative attack on virtualizing protections. The idea is to create a compiler with a poly/metamorphic front-end that deobfuscates and recompiles the proprietary bytecode back into x86. The compiler was implemented in OCaml and successfully defeated multiple virtualizing protectors.
Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
McAfee's "Hacker Safe" certification program
XSS vulnerabilities in multiple sites certified as "Hacker Safe"
More than 60 web sites certified to be "Hacker Safe" by McAfee's ScanAlert service were reported as vulnerable to XSS attacks, including the ScanAlert web site itself. Joseph Pierini, director of enterprise services for the "Hacker Safe" program, maintains that XSS vulnerabilities can't be used to hack a server:
Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly.
Another McAfee quote that is certain to become a timeless hacker classic is "we go in like a super hacker".
Pwnie for Most Overhyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the mainstream media. Bonus points for bugs that turn out to be impossible to exploit in practice. Also known as ‘Pwnie for Pwning the Media.’
Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)
Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song? Let's see if anybody can beat Derek's Twas the night before Christmas.
Packin' The K!
On hackers we put the hurtski,
we use Kaspersky, we pack the K!
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time?
This award is to honor a person or company's spectacularly epic FAIL.
Debian for shipping a backdoored OpenSSL library for two years (CVE-2008-0166)
On May 2nd, 2006 Kurt Roeckx commented out two very important lines of code in the OpenSSL pseudo-random number generator (PRNG). The reason? Valgrind and Purify complained about the use of uninitialized data in the function that seeded the PRNG. By commenting out these two lines of code, the randomness of all cryptographic keys generated by the Debian OpenSSL package was reduced to about 15 bits, or less than 32,768 unique keys in practice.
By crippling the PRNG in the OpenSSL library, not only were all cryptographic keys generated on Debian-based systems suspect, but all cryptographic operations performed by these systems as well. Since the flaw was announced, Luciano Bello, Maximiliano Bertacchini, and Paolo Abeni have released a patch to Wireshark that decrypts SSL sessions (bypassing Perfect Forward Secrecy) that involve one of the weak keys. To this date, Kurt Roeckx still hosts vulnerable versions of the OpenSSL library in his personal directory on the Debian servers and has not been stripped of his Debian developer status.
Windows Vista for proving that security does not sell
$100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is choosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements.
The good thing about the Vista debacle is that no other vendor will care to do such a security push, which means that we'll be able to easily own any piece of software for the foreseeable future.
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.
This award is to honor the previous achievements of those who have moved on to bigger and better things such as management or owning (in the traditional sense) a coffee shop.
Hello? He is The Newsh 'Nuff said.