In association with heise online

27 July 2012, 09:29

Hacker scene presents Pwnie Awards 2012

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The film industry has its Oscars, the security scene its Pwnies

At the Black Hat information security conference in Las Vegas, a jury of well-known security experts including HD Moore and Dino Dai Zovi has chosen the winners of the sixth annual Pwnie Awards. The awards are considered to be the Oscars of the security community and do have a certain element of show business.

The Pwnie for the Best Client-Side Bug was awarded to Pinkie Pie and Sergey Glazunov who, independently of each other, managed to escape from the Chrome sandbox. The two had already won $60,000 each at Google's Pwnium hacker contest for their work; however, this was by no means easy money: Pinkie Pie had to combine six vulnerabilities to escape, Glazunov at least fourteen.

The Pwnie for the Best Server-Side Bug went to Sergei Golubchik: he found that certain MySQL configurations will accept any password – as long as a sufficient number of attempts is made. The award for the Best Privilege Escalation Bug went to Mateusz "j00ru" Jurczyk – his exploitPDF for all 32-bit editions of Windows (NT up to the preview version of Windows 8) granted system privileges to Windows users with limited access rights in next to no time.

The "Most Innovative Research" Pwnie was won by Travis Goodspeed for his paper entitled Packets in Packets: Orson Welles In-Band Signaling Attacks for Modern RadiosPDF. The researcher describes how transmission errors on wireless connections such as Wi-Fi networks can purposefully be used to pass specially crafted data packets to unsuspecting users. The Best Song award went to Dual Core for "Control", although this song didn't get people's feet tapping quite as much as last year's winner geohot with "The Light It Up Contest".

The only winner who might have preferred to go without a Pwnie was F5 Networks, the network equipment supplier who won the "Most Epic FAIL" award. The company had used the same SSH private key, which could be extracted from the firmware, in all of its appliances. This allowed practically anyone to remotely log into the devices as root.

The Pwnie in the illustrious "Epic 0wnage" category was awarded to the developers of the Flame super spyware. They successfully used an MD5 collision attack to clone Microsoft certificates and deploy bogus updates via the Windows Update feature. According to the Washington Post, compliments for this award are due to the CIA, the NSA and the Israeli military.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit