Winners of Pwnie Awards 2014
Pwnie for Best Server-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
The Heartbleed vulnerability was unleashed in April this year, starting a trend of giving vulnerabilities names, websites and logos. It was also a cool bug. This bug had a significant impact to both Yahoo! webmail users and any firm using Amazon's Elastic Load Balancers (ELBs). For almost a full day, anyone visting the Yahoo! webmail application or an ELB-backed cloud service was at risk of having thier cleartext credentials exposed. Yahoo! approached this problem by forcing password resets. The other 10,000+ companies using ELB likely did not.
Pwnie for Best Client-Side Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.
Google Chrome Arbitrary Memory Read Write Vulnerability (CVE-2014-1705)
Geohot won the Pwnium contest by chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory.
Pwnie for Best Privilege Escalation Bug
Awarded to the person who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis
In this fascinating paper, the authors describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. They experimentally demonstrated that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
Pwnie for Lamest Vendor Response
Awarded to the vendor who mishandled a security vulnerability most spectacularly.
AVG Remote Administration Insecure "By Design"
Declaring reported security weaknesses "by design" is so much less work than actually fixing them. Hey, anybody want to get some fro-yo?
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song?
"The SSL Smiley Song"
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.
We don't take kindly to "Pwnie Bait" vulnerabilities that have been introduced and named just to earn the coveted Epic FAIL Pwnie, but we'll let this one slide, Apple.
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
The world's largest bitcoin exchange pumps up the price of BTC well above competing exchanges, stops allowing cash withdrawals, blocks bitcoin withdrawals, and finally comes crashing down claiming that they were hacked. All of this from an ex-pat CEO living in Japan who was convicted of crimes in his home country in absentia. Hundreds of millions of dollars went missing and all blockchain analysis points to Mr. Karpelès either being the dumbest developer in the history of mankind or complicit in the theft of Mt. Gox user's funds.