2012 Pwnie awards - winners announced
Malware hits the Mac but is it worth worrying about?
Last night saw the announcement of the annual Pwnie awards, where the finest exploits and failures are ‘celebrated'.
Held to coincide with the Black Hat conference in Las Vegas, the nominees were announced at the start of this week.
The winners included Pinkie Pie's Pwnium Exploit and Sergey Glazunov's Pwnium Exploit, who both won the award for best client-side bug, awarded to the person who discovered or exploited the most technically sophisticated and interesting client-side bug.
The pwnie for best server-side bug went to Sergei Golubchik for the MySQL Authentication Bypass (CVE-2012-2122), while the pwnie for best privilege escalation bug went to Mateusz Jurczyk for the (MS11-098) Windows Kernel Exception Handler Vulnerability.
The most notable pwnie, ‘for epic 0wnage', which is presented "to the hackers responsible for delivering the most damaging, widely publicised or hilarious 0wnage", went to the authors of Flame. The judges said: “Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book. And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage.”
Elsewhere the pwnie for most innovative research went to Travis Goodspeed for his ‘Packets in Packets: Orson Welles' In-Band Signaling Attacks for Modern Radios' paper, while the pwnie for best song went to conference favourite Dual Core for ‘Control'. If you want to listen to it, it is here.
This year there was no award for ‘lamest vendor response', but the pwnie for most epic fail went to vendor F5 Networks for its Static Root SSH Key, after it inadvertently shipped a static SSH key that could be used to authenticate as root on many of their BigIP devices.
Some of these awards do make me smile. Some may see them as a suspicious effort to 'award' actions that can cause nightmares for CISOs and administrators, and I suspect that the award to the authors of Flame may be well discussed. But as long as the pwnies are seen as a bit of fun and not as a method to expose greater bugs and exploits, then they should continue.