Security Viewpoints » Security fun

Pwnie Award winners 2009

D Webber — Mon, 03 Aug 2009 21:39:00 +0000

The winners of the “prestigious” Pwnie Awards were announced last Saturday at Black Hat USA. The honored recipients are:

Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065)
Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185)
Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015)
Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844)
Best Research: From 0 to 0day on Symbian (pdf)
Lamest Vendor Response: Linux (for continually assuming that all kernel memory corruption bugs are only denial-of-service)
Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250)
Most Epic FAIL: Twitter Gets Hacked and the “Cloud Crisis”
Lifetime Achievement Award: Solar Designer
Best Song: Nice Report (mp3) by Doctor RAID

Linux was justly trashed in this year’s awards. The kernel bugs and the Red Hat (and Fedora) compromise were significant (Fedora was also hit), as was last year’s Pwnie winning Debian OpenSSL debacle.

Related posts:

Pwnie Award nominations close July 15

D Webber — Mon, 13 Jul 2009 12:04:44 +0000

The Pwnie Awards are back this year… and there are just two more days to submit your nominations.

The awards started in 2007 as a more than slightly irreverent recognition of “the best” in information security for the previous year. For The 2009 award categories are:

Best Server-Side Bug
Best Client-Side Bug
Mass 0wnage
Most Innovative Research
Lamest Vendor Response
Most Overhyped Bug
Best Song
Most Epic FAIL
Lifetime Achievement

The ceremony is held during Blackhat USA, but nominations must be in by this Wednesday.

Update (Jul 22 2009): The nominees have been announced.

Related posts:

Pwnie Award nominees are out

D Webber — Wed, 01 Aug 2007 13:56:09 +0000

The first annual Pwnie Awards have now published their list of nominees for 2007 and will be presenting the awards today at Blackhat Las Vegas. This extremely irreverent award was announced in July by security researcher Alexander Sotirov with the awards in the following categories:

Best Server-Side Bug
Best Client-Side Bug
Mass 0wnage
Most Innovative Research
Lamest Vendor Response
Most Overhyped Bug
Best Song

It’s always a good time when insiders poke fun at the security industry. The nominations are a good read. They’d be hilarious if they weren’t such a tragic illustration of the state of software today.

“Lamest vendor response” is my favorite category… when security is the last thing considered by software developers (assuming it’s considered at all), vendor action is critical. By now most vendors have learned to stop attacking security researchers who audit their products for free, but denial and downplaying the importance of flaws is still common. When serious flaws were reported in forensic tool EnCase (darling of law enforcement everywhere), the vendor reaction was a classic downplay and dismiss. One response tearing their argument apart was also classic.

Update: The “winners” have been announced.

Related posts:

Incredible statement

D Webber — Tue, 24 Oct 2006 02:37:54 +0000

We’ve all seen examples of really stupid security thinking, but I’m betting this is a joke…

"We’re going to buy Mac Minis and run Windows on them because Macs aren’t affected by these security problems."

Read the whole thing here: DeadBeefCafe Incredible statement.

No related posts.

Give us all your money

D Webber — Wed, 18 Oct 2006 11:05:23 +0000

Phishers just aren’t trying as hard as they used to: check out giveusallyourmoney.com (via Security Curve weblog)

Though the site is (I hope) a joke, when you press the submit button it takes you to a page “taketheirmoney.php” which right now spits out a nice PHP error message about not being able to open file “creditcards.txt”.

Oops… a security issue! Now we know the web server is running PHP and, since the PHP setting display_errors was left enabled, we can see physical directories on the server and what may be the username of the site owner. Very helpful to an attacker. If this site really was phishing for card numbers mistakes like this could lead to a breach!

(There are at least four other security issues with the site, but I’m not about to list them here. See how many problems you can spot!)

And speaking of security flaws, I think fixavote is brilliant (via Schneier on Security)

No related posts.

A literal trojan horse

D Webber — Thu, 31 Aug 2006 01:21:43 +0000

This is more appropriate as a Friday fun post and is the first (and probably last) time I’ve linked to a video, but this clip “What have we learned from history?” clip from the Australian satire program “The Chaser” is too funny not to share. (warning: YouTube link)

The show’s crew drove around Sydney towing a literal trojan horse asking if they could park it over night inside various compounds.

It’s farcical but when such an obvious (and I’d hope widely known) physical security attack like this still works, I guess it’s not surprising that methods like handing out trojaned CDROMs to London commuters or leaving infected USB keys in company parking lots are effective.

No related posts.