Pwnie Awards

Last updated
Pwnie Awards
StatusActive
GenreAwards Ceremony
FrequencyAnnual
Venue Summercon, Black Hat
Years active17
Inaugurated2007 (2007)
Founder Alexander Sotirov, Dino Dai Zovi
Website pwnies.com

The Pwnie Awards recognize both excellence and incompetence in the field of information security.[ citation needed ] Winners are selected by a committee of security industry professionals from nominations collected from the information security community. [1] Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference. [2]

Contents

Origins

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony," [2] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi [1] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE - 2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE - 2007-0038) in Internet Explorer.

Winners

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Winner list from. [32]

2014

2013

2012

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. [38] [39] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest. [38] [40]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows. [38] [39] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets. [38] [39]

The award for best song went to "Control" by nerdcore rapper Dual Core. [38] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community. [38]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony. [38] [40] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame). [39]

The award for "epic 0wnage" went to Flame for its MD5 collision attack, [40] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system. [39]

2011

2010

2009

2008

2007

Related Research Articles

<span class="mw-page-title-main">OpenSSL</span> Open-source implementation of the SSL and TLS protocols

OpenSSL is a software library for applications that provide secure communications over computer networks against eavesdropping, and identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application or user with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

Przemysław Frasunek is a "white hat" hacker from Poland. He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless. He serves as the CEO of Redge Technologies.

<span class="mw-page-title-main">JailbreakMe</span> Series of iOS jailbreaks

JailbreakMe is a series of jailbreaks for Apple's iOS mobile operating system that took advantage of flaws in the Safari browser on the device, providing an immediate one-step jailbreak, unlike more common jailbreaks, such as Blackra1n and redsn0w, that require plugging the device into a computer and running the jailbreaking software from the desktop. JailbreakMe included Cydia, a package management interface that serves as an alternative to the App Store. Although it does not support modern devices, the websites remain available for compatible devices.

<span class="mw-page-title-main">Lennart Poettering</span> German software engineer

Lennart Poettering is a German software engineer working for Microsoft and the original author of PulseAudio, Avahi and systemd.

<span class="mw-page-title-main">ImmuniWeb</span> Swiss application security company

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

<span class="mw-page-title-main">Intel Management Engine</span> Autonomous computer subsystem

The Intel Management Engine (ME), also known as the Intel Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008. It is located in the Platform Controller Hub of modern Intel motherboards.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

FREAK is a security exploit of a cryptographic weakness in the SSL/TLS protocols introduced decades earlier for compliance with U.S. cryptography export regulations. These involved limiting exportable software to use only public key pairs with RSA moduli of 512 bits or fewer, with the intention of allowing them to be broken easily by the National Security Agency (NSA), but not by other organizations with lesser computing resources. However, by the early 2010s, increases in computing power meant that they could be broken by anyone with access to relatively modest computing resources using the well-known Number Field Sieve algorithm, using as little as $100 of cloud computing services. Combined with the ability of a man-in-the-middle attack to manipulate the initial cipher suite negotiation between the endpoints in the connection and the fact that the finished hash only depended on the master secret, this meant that a man-in-the-middle attack with only a modest amount of computation could break the security of any website that allowed the use of 512-bit export-grade keys. While the exploit was only discovered in 2015, its underlying vulnerabilities had been present for many years, dating back to the 1990s.

Rowhammer is a computer security exploit that takes advantage of an unintended and undesirable side effect in dynamic random-access memory (DRAM) in which memory cells interact electrically between themselves by leaking their charges, possibly changing the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Intel Software Guard Extensions (SGX) is a set of instruction codes implementing trusted execution environment that are built into some Intel central processing units (CPUs). They allow user-level and operating system code to define protected private regions of memory, called enclaves. SGX is designed to be useful for implementing secure remote computation, secure web browsing, and digital rights management (DRM). Other applications include concealment of proprietary algorithms and of encryption keys.

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">J. Alex Halderman</span> American computer scientist

J. Alex Halderman is professor of computer science and engineering at the University of Michigan, where he is also director of the Center for Computer Security & Society. Halderman's research focuses on computer security and privacy, with an emphasis on problems that broadly impact society and public policy.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM Power microprocessors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

<span class="mw-page-title-main">Spectre (security vulnerability)</span> Processor security vulnerability

Spectre is one of the two original transient execution CPU vulnerabilities, which involve microarchitectural side-channel attacks. These affect modern microprocessors that perform branch prediction and other forms of speculation. On most processors, the speculative execution resulting from a branch misprediction may leave observable side effects that may reveal private data to attackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.

<span class="mw-page-title-main">Microarchitectural Data Sampling</span> CPU vulnerabilities

The Microarchitectural Data Sampling (MDS) vulnerabilities are a set of weaknesses in Intel x86 microprocessors that use hyper-threading, and leak data across protection boundaries that are architecturally supposed to be secure. The attacks exploiting the vulnerabilities have been labeled Fallout, RIDL, ZombieLoad., and ZombieLoad 2.

Transient execution CPU vulnerabilities are vulnerabilities in a computer system in which a speculative execution optimization implemented in a microprocessor is exploited to leak secret data to an unauthorized party. The archetype is Spectre, and transient execution attacks like Spectre belong to the cache-attack category, one of several categories of side-channel attacks. Since January 2018 many different cache-attack vulnerabilities have been identified.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

References

  1. 1 2 3 4 Buley, Taylor (July 30, 2009). "Twitter Gets 'Pwned' Again". Forbes. Archived from the original on February 16, 2013. Retrieved January 3, 2013.
  2. 1 2 3 4 5 6 7 Sutter, John D. (August 4, 2011). "Sony gets 'epic fail' award from hackers". CNN. Retrieved January 3, 2013.
  3. Some of you may already be aware but due to extenuating circumstances we've made an early award!
  4. Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED
  5. @PwnieAwards (10 August 2022). "Our final nomination for Lamest Vendor Response goes to:Google TAG for "unilaterally shutting down a counterterrorism operation"" (Tweet) via Twitter.
  6. "Google's top security teams unilaterally shut down a counterterrorism operation".
  7. "Google's Project Zero shuts down Western counter-terrorist hacker team". 29 March 2021.
  8. Goodin, Dan (2021-04-21). "In epic hack, Signal developer turns the tables on forensics firm Cellebrite". Archived from the original on 2023-05-23.
  9. Cox, Joseph; Franceschi-Bicchierai, Lorenzo (2021-04-27). "Cellebrite Pushes Update After Signal Owner Hacks Device". Archived from the original on 2023-05-11.
  10. Brazeal, Forrest (11 June 2021). "The Ransomware Song". YouTube. Archived from the original on 2021-12-21. Retrieved 9 August 2021.
  11. Tsai, Orange. "ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!". www.blackhat.com. Retrieved 9 August 2021.
  12. "U/OO/104201-20 PP-19-0031 01/14/2020 National Security Agency | Cybersecurity Advisory 1 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers" (PDF). Defense.gov. Retrieved 9 August 2021.
  13. Göktaş, Enes; Razavi, Kaveh; Portokalidis, Georgios; Bos, Herbert; Giuffrida, Cristiano. "Speculative Probing: Hacking Blind in the Spectre Era" (PDF).
  14. Kolsek, Mitja. "Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)". 0Patch Blog. Retrieved 9 August 2021.
  15. Alendal, Gunnar. "Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics". www.blackhat.com. Black Hat.
  16. "21Nails: Multiple vulnerabilities in Exim". qualys.com. Qualys. Retrieved 9 August 2021.
  17. "E-Soft MX survey". securityspace.com. E-Soft Inc. 1 March 2021. Retrieved 21 March 2021.
  18. Tsai, Orange. "Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!". www.blackhat.com. Retrieved 7 August 2019.
  19. "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second", Vectorized Emulation
  20. "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  21. 1 2 "Spectre Attacks: Exploiting Speculative Execution", Spectre
  22. 1 2 "Meltdown", Meltdown
  23. "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  24. https://www.theregister.com/2018/08/31/bitfi_reluctantly_drops_unhackable_claim/ [ bare URL ]
  25. "Pwnie for Most Innovative Research", Pwnie Awards
  26. "Pwnie for Best Privilege Escalation Bug", Pwnie Awards
  27. "The 2017 Pwnie Award For Lamest Vendor Response", Pwnie Awards
  28. Hello (From the Other Side) Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
  29. "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector", Erik Bosman et al.
  30. "DROWN: Breaking TLS using SSLv2" Nimrod Aviram et al.
  31. Cyberlier Katie Moussouris
  32. "'Will it Blend?' Earns Pwnie for Best Client Bug; OPM for Most Epic Fail".
  33. https://j00ru.vexillium.org/slides/2015/recon.pdf [ bare URL PDF ]
  34. "CERT/CC Vulnerability Note VU#552286".
  35. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", Adrian David et al.
  36. "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  37. at 09:31, John Leyden 5 Oct 2012. "Experts troll 'biggest security mag in the world' with DICKish submission". www.theregister.co.uk. Retrieved 2019-10-03.{{cite web}}: CS1 maint: numeric names: authors list (link)
  38. 1 2 3 4 5 6 7 Yin, Sara (July 26, 2012). "And Your 2012 Pwnie Award Winners Are..." SecurityWatch. PCMag. Retrieved January 8, 2013.
  39. 1 2 3 4 5 Constantin, Lucian (July 26, 2012). "Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat". IDG-News-Service. PCWorld. Retrieved January 8, 2013.
  40. 1 2 3 Sean Michael Kerner (July 25, 2012). "Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail". InternetNews.com. Retrieved January 8, 2013.
  41. 1 2 3 4 5 6 7 8 Schwartz, Mathew J. (August 4, 2011). "Pwnie Award Highlights: Sony Epic Fail And More". InformationWeek. Retrieved January 3, 2013.
  42. "Kernel Attacks through User-Mode Callbacks"
  43. "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  44. "Interpreter Exploitation Pointer Inference and JIT Spraying"
  45. 1 2 3 Brown, Bob (July 31, 2009). "Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards". NetworkWorld. Archived from the original on August 5, 2009. Retrieved January 3, 2013.
  46. 1 2 3 Naone, Erica (August 7, 2008). "Black Hat's Pwnie Awards". MIT Technology Review. Retrieved January 3, 2013.
  47. 1 2 3 4 5 6 Naraine, Ryan (August 2, 2007). "OpenBSD team mocked at first ever 'Pwnie' awards". ZDNet. Archived from the original on February 17, 2013. Retrieved January 3, 2013.