Pwnie Awards

Last updated
Pwnie Awards
StatusActive
GenreAwards Ceremony
FrequencyAnnual
Venue Summercon, Black Hat
Years active17
Inaugurated2007 (2007)
Founder Alexander Sotirov, Dino Dai Zovi
Website pwnies.com

The Pwnie Awards recognize both excellence and incompetence in the field of information security.[ citation needed ] Winners are selected by a committee of security industry professionals from nominations collected from the information security community. [1] Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference. [2]

Contents

Origins

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," [2] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi [1] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE - 2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE - 2007-0038) in Internet Explorer.

Winners

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Winner list from. [34]

2014

2013

2012

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. [40] [41] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest. [40] [42]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. [40] [41] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets. [40] [41]

The award for best song went to "Control" by nerdcore rapper Dual Core. [40] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community. [40]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. [40] [42] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame). [41]

The award for "epic 0wnage" went to Flame for its MD5 collision attack, [42] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system. [41]

2011

2010

2009

2008

2007

Related Research Articles

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network is often referred to as remote code execution.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

Przemysław Frasunek is a "white hat" hacker from Poland. He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless. He serves as the CEO of Redge Technologies.

<span class="mw-page-title-main">Lennart Poettering</span> German software engineer

Lennart Poettering is a German software engineer working for Microsoft and the original author of PulseAudio, Avahi and systemd.

<span class="mw-page-title-main">ImmuniWeb</span> Swiss application security company

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Stagefright (bug)</span> Software bug in Android

Stagefright is the name given to a group of software bugs that affect versions from 2.2 "Froyo" up until 5.1.1 "Lollipop" of the Android operating system exposing an estimated 950 million devices at the time. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim's device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn't have to do anything to 'accept' exploits using the bug; it happens in the background. A phone number is the only information needed to carry out the attack.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original speculative execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original speculative execution CPU vulnerabilities, which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

Speculative Store Bypass (SSB) is the name given to a hardware security vulnerability and its exploitation that takes advantage of speculative execution in a similar way to the Meltdown and Spectre security vulnerabilities. It affects the ARM, AMD and Intel families of processors. It was discovered by researchers at Microsoft Security Response Center and Google Project Zero (GPZ). After being leaked on 3 May 2018 as part of a group of eight additional Spectre-class flaws provisionally named Spectre-NG, it was first disclosed to the public as "Variant 4" on 21 May 2018, alongside a related speculative execution vulnerability designated "Variant 3a".

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

Transient execution CPU vulnerabilities are vulnerabilities in which instructions, most often optimized using speculative execution, are executed temporarily by a microprocessor, without committing their results due to a misprediction or error, resulting in leaking secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. 1 2 3 4 Buley, Taylor (July 30, 2009). "Twitter Gets 'Pwned' Again". Forbes. Archived from the original on February 16, 2013. Retrieved January 3, 2013.
  2. 1 2 3 4 5 6 7 Sutter, John D. (August 4, 2011). "Sony gets 'epic fail' award from hackers". CNN. Retrieved January 3, 2013.
  3. Some of you may already be aware but due to extenuating circumstances we've made an early award!
  4. "Let the Cache Cache and Let the WebAssembly Assemble: Knocking’ on Chrome’s Shell"
  5. See No Eval: Runtime Dynamic Code Execution in Objective-C
  6. Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED
  7. @PwnieAwards (10 August 2022). "Our final nomination for Lamest Vendor Response goes to:Google TAG for "unilaterally shutting down a counterterrorism operation"" (Tweet) via Twitter.
  8. "Google's top security teams unilaterally shut down a counterterrorism operation".
  9. "Google's Project Zero shuts down Western counter-terrorist hacker team". 29 March 2021.
  10. Goodin, Dan (2021-04-21). "In epic hack, Signal developer turns the tables on forensics firm Cellebrite". Archived from the original on 2023-05-23.
  11. Cox, Joseph; Franceschi-Bicchierai, Lorenzo (2021-04-27). "Cellebrite Pushes Update After Signal Owner Hacks Device". Archived from the original on 2023-05-11.
  12. Brazeal, Forrest (11 June 2021). "The Ransomware Song". YouTube. Archived from the original on 2021-12-21. Retrieved 9 August 2021.
  13. Tsai, Orange. "ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!". www.blackhat.com. Retrieved 9 August 2021.
  14. "U/OO/104201-20 PP-19-0031 01/14/2020 National Security Agency | Cybersecurity Advisory 1 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers" (PDF). Defense.gov. Retrieved 9 August 2021.
  15. Göktaş, Enes; Razavi, Kaveh; Portokalidis, Georgios; Bos, Herbert; Giuffrida, Cristiano. "Speculative Probing: Hacking Blind in the Spectre Era" (PDF).
  16. Kolsek, Mitja. "Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)". 0Patch Blog. Retrieved 9 August 2021.
  17. Alendal, Gunnar. "Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics". www.blackhat.com. Black Hat.
  18. "21Nails: Multiple vulnerabilities in Exim". qualys.com. Qualys. Retrieved 9 August 2021.
  19. "E-Soft MX survey". securityspace.com. E-Soft Inc. 1 March 2021. Retrieved 21 March 2021.
  20. Tsai, Orange. "Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!". www.blackhat.com. Retrieved 7 August 2019.
  21. "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second", Vectorized Emulation
  22. "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  23. 1 2 "Spectre Attacks: Exploiting Speculative Execution", Spectre
  24. 1 2 "Meltdown", Meltdown
  25. "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  26. https://www.theregister.com/2018/08/31/bitfi_reluctantly_drops_unhackable_claim/ [ bare URL ]
  27. "Pwnie for Most Innovative Research", Pwnie Awards
  28. "Pwnie for Best Privilege Escalation Bug", Pwnie Awards
  29. "The 2017 Pwnie Award For Lamest Vendor Response", Pwnie Awards
  30. Hello (From the Other Side) Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
  31. "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector", Erik Bosman et al.
  32. "DROWN: Breaking TLS using SSLv2" Nimrod Aviram et al.
  33. Cyberlier Katie Moussouris
  34. "'Will it Blend?' Earns Pwnie for Best Client Bug; OPM for Most Epic Fail".
  35. https://j00ru.vexillium.org/slides/2015/recon.pdf [ bare URL PDF ]
  36. "CERT/CC Vulnerability Note VU#552286".
  37. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", Adrian David et al.
  38. "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  39. at 09:31, John Leyden 5 Oct 2012. "Experts troll 'biggest security mag in the world' with DICKish submission". www.theregister.co.uk. Retrieved 2019-10-03.{{cite web}}: CS1 maint: numeric names: authors list (link)
  40. 1 2 3 4 5 6 7 Yin, Sara (July 26, 2012). "And Your 2012 Pwnie Award Winners Are..." SecurityWatch. PCMag. Retrieved January 8, 2013.
  41. 1 2 3 4 5 Constantin, Lucian (July 26, 2012). "Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat". IDG-News-Service. PCWorld. Retrieved January 8, 2013.
  42. 1 2 3 Sean Michael Kerner (July 25, 2012). "Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail". InternetNews.com. Retrieved January 8, 2013.
  43. 1 2 3 4 5 6 7 8 Schwartz, Mathew J. (August 4, 2011). "Pwnie Award Highlights: Sony Epic Fail And More". InformationWeek. Retrieved January 3, 2013.
  44. "Kernel Attacks through User-Mode Callbacks"
  45. "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  46. "Interpreter Exploitation Pointer Inference and JIT Spraying"
  47. 1 2 3 Brown, Bob (July 31, 2009). "Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards". NetworkWorld. Archived from the original on August 5, 2009. Retrieved January 3, 2013.
  48. 1 2 3 Naone, Erica (August 7, 2008). "Black Hat's Pwnie Awards". MIT Technology Review. Retrieved January 3, 2013.
  49. 1 2 3 4 5 6 Naraine, Ryan (August 2, 2007). "OpenBSD team mocked at first ever 'Pwnie' awards". ZDNet. Archived from the original on February 17, 2013. Retrieved January 3, 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.