Pwnie Awards

From HandWiki
Revision as of 15:33, 6 February 2024 by JMinHep (talk | contribs) (over-write)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Short description: Information security awards
Pwnie Awards
StatusActive
GenreAwards Ceremony
FrequencyAnnual
VenueSummercon, Black Hat
Years active17
Inaugurated2007 (2007)
FounderAlexander Sotirov, Dino Dai Zovi
Websitepwnies.com
The Pwnie Award is made from a My Little Pony toy.[1][2]

The Pwnie Awards recognize both excellence and incompetence in the field of information security[citation needed]. Winners are selected by a committee of security industry professionals from nominations collected from the information security community.[3] Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.[4]

Origins

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony,"[4] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi[3] following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability (CVE-2007-2175) and Alexander's discovery of an ANI file processing vulnerability (CVE-2007-0038) in Internet Explorer.

Winners

2022

  • Lamest Vendor Response: Google's "TAG" response team for fixing several zero-day exploits (something that is normally regarded as highly beneficial in IT security), because it allegedly and according to the jury "shut down a counterterrorism operation".[5].

2021

  • Lamest Vendor Response: Cellebrite, for their response to Moxie, the creator of Signal, reverse-engineering their UFED and accompanying software and reporting a discovered exploit.[6][7]
  • Epic Achievement: Ilfak Guilfanov, in honor of IDA's 30th Anniversary.
  • Best Privilege Escalation Bug: Baron Samedit of Qualys, for the discovery of a 10-year-old exploit in sudo.
  • Best Song: The Ransomware Song by Forrest Brazeal[8]
  • Best Server-Side Bug: Orange Tsai, for his Microsoft Exchange Server ProxyLogon attack surface discoveries.[9]
  • Best Cryptographic Attack: The NSA for its disclosure of a bug in the verification of signatures in Windows which breaks the certificate trust chain.[10]
  • Most Innovative Research: Enes Göktaş, Kaveh Razavi, Georgios Portokalidis, Herbert Bos, and Cristiano Giuffrida at VUSec for their research on the "BlindSide" Attack.[11]
  • Most Epic Fail: Microsoft, for their failure to fix PrintNightmare.[12]
  • Best Client-Side Bug: Gunnar Alendal's discovery of a buffer overflow on the Samsung Galaxy S20's secure chip.[13]
  • Most Under-Hyped Research: The Qualys Research Team for 21Nails,[14] 21 vulnerabilities in Exim, the Internet's most popular mail server.[15]

2020

2019

  • Best Server-Side Bug: Orange Tsai and Meh Chang, for their SSL VPN research.[17]
  • Most Innovative Research: Vectorized Emulation[18] Brandon Falk
  • Best Cryptographic Attack: \m/ Dr4g0nbl00d \m/ [19] Mathy Vanhoef, Eyal Ronen
  • Lamest Vendor Response: Bitfi
  • Most Over-hyped Bug: Allegations of Supermicro hardware backdoors, Bloomberg
  • Most Under-hyped Bug: Thrangrycat, Jatin Kataria, Red Balloon Security

2018

  • Most Innovative Research: Spectre[20]/Meltdown[21] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom
  • Best Privilege Escalation Bug: Spectre[20]/Meltdown[21] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, Yuval Yarom
  • Lifetime Achievement: Michał Zalewski
  • Best Cryptographic Attack: ROBOT - Return Of Bleichenbacher’s Oracle Threat [22] Hanno Böck, Juraj Somorovsky, Craig Young
  • Lamest Vendor Response: Bitfi - a late entry that had received thousands of nominations after multiple hackers cracked Bitfi's device following John McAfee's praising of the device for its security. Even though hackers cracked the device, by design the device does not contain private keys therefore breaking into the device would not result in a successful extraction of funds. Bitfi was eager to pay bounties and followed all the rules as stipulated. An announcement was made on September 8, 2018 with details on which bounty conditions were met and which payments would be made.[23]

2017

  • Epic Achievement: Finally getting TIOCSTI ioctl attack fixed Federico Bento
  • Most Innovative Research: ASLR on the line [24] Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos, Cristiano Giuffrida
  • Best Privilege Escalation Bug: DRAMMER [25] Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, Cristiano Giuffrida
  • Best Cryptographic Attack: The first collision for full SHA-1 Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
  • Lamest Vendor Response: Lennart Poettering - for mishandling security vulnerabilities most spectacularly for multiple critical Systemd bugs[26]
  • Best Song: Hello (From the Other Side)[27] - Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner

2016

  • Most Innovative Research: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector [28] Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida
  • Lifetime Achievement: Peiter Zatko aka Mudge
  • Best Cryptographic Attack: DROWN attack[29] Nimrod Aviram et al.
  • Best Song: Cyberlier[30] - Katie Moussouris

2015

Winner list from.[31]

  • Best Server-Side Bug: SAP LZC LZH Compression Multiple Vulnerabilities, Martin Gallo
  • Best Client–Side Bug: Will it BLEND?[32], Mateusz j00ru Jurczyk
  • Best Privilege Escalation Bug: UEFI SMM Privilege Escalation,[33] Corey Kallenberg
  • Most Innovative Research: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice [34] Adrian David et al.
  • Lamest Vendor Response: Blue Coat Systems (for blocking Raphaël Rigo‘s research presentation at SyScan 2015)
  • Most Overhyped Bug: Shellshock (software bug), Stephane Chazelas
  • Most Epic FAIL: OPM - U.S. Office of Personnel Management (for losing data on 19.7 Million applicants for US government security clearances.)
  • Most Epic 0wnage: China
  • Best Song: "Clean Slate" by YTCracker
  • Lifetime Achievement: Thomas Dullien aka Halvar Flake

2014

  • Best Server-Side Bug: Heartbleed (Neel Mehta and Codenomicon, CVE-2014-0160)
  • Best Client-Side Bug: Google Chrome Arbitrary Memory Read Write Vulnerability, (Geohot, CVE-2014-1705)
  • Best Privilege Escalation Bug: AFD.sys Dangling Pointer Vulnerability (Sebastian Apelt, CVE-2014-1767); the winner of Pwn2Own 2014.
  • Most Innovative Research: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis (Daniel Genkin, Adi Shamir, Eran Tromer); extract RSA decryption keys from laptops within an hour by using the sounds generated by the computer.
  • Lamest Vendor Response: AVG Remote Administration Insecure “By Design” (AVG)
  • Best Song: "The SSL Smiley Song" (0xabad1dea)
  • Most Epic Fail: Goto Fail (Apple Inc.)
  • Epic 0wnage: Mt. Gox, (Mark Karpelès)

2013

  • Best Server-Side Bug: Ruby on Rails YAML (CVE-2013-0156) Ben Murphy
  • Best Client-Side Bug: Adobe Reader Buffer Overflow and Sandbox Escape (CVE-2013-0641) Unknown
  • Best Privilege Escalation Bug: iOS incomplete codesign bypass and kernel vulnerabilities (CVE-2013-0977, CVE-2013-0978, CVE-2013-0981) David Wang aka planetbeing and the evad3rs team
  • Most Innovative Research: Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns[35] Mateusz "j00ru" Jurczyk, Gynvael Coldwind
  • Best Song: "All the Things" Dual Core
  • Most Epic Fail: Nmap: The Internet Considered Harmful - DARPA Inference Checking Kludge Scanning Hakin9[36]
  • Epic 0wnage: Joint award to Edward Snowden and the NSA
  • Lifetime Achievement: Barnaby Jack

2012

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw.[37][38] Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.[37][39]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows.[37][38] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.[37][38]

The award for best song went to "Control" by nerdcore rapper Dual Core.[37] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.[37]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony.[37][39] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).[38]

The award for "epic 0wnage" went to Flame for its MD5 collision attack,[39] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.[38]

2011

2010

  • Best Server-Side Bug: Apache Struts2 framework remote code execution (CVE-2010-1870) Meder Kydyraliev
  • Best Client-Side Bug: Java Trusted Method Chaining (CVE-2010-0840) Sami Koivu
  • Best Privilege Escalation Bug: Windows NT #GP Trap Handler (CVE-2010-0232) Tavis Ormandy
  • Most Innovative Research: Flash Pointer Inference and JIT Spraying[43] Dionysus Blazakis
  • Lamest Vendor Response: LANrev remote code execution Absolute Software
  • Best Song: "Pwned - 1337 edition" Dr. Raid and Heavy Pennies
  • Most Epic Fail: Microsoft Internet Explorer 8 XSS filter

2009

  • Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065) David 'DK2' Kim
  • Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185) Sebastian Krahmer
  • Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015) Ryan Smith and Alex Wheeler
  • Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844) Anonymous[3]
  • Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
  • Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project[44]
  • Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow (CVE-2008-4250) Anonymous[44]
  • Best Song: Nice Report Doctor Raid
  • Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter[3]
  • Lifetime Achievement Award: Solar Designer[44]

2008

  • Best Server-Side Bug: Windows IGMP Kernel Vulnerability (CVE-2007-0069) Alex Wheeler and Ryan Smith
  • Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
  • Mass 0wnage: An unbelievable number of WordPress vulnerabilities
  • Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualization obfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
  • Lamest Vendor Response: McAfee's "Hacker Safe" certification program[45]
  • Most Overhyped Bug: Dan Kaminsky's DNS Cache Poisoning Vulnerability (CVE-2008-1447)[45]
  • Best Song: Packin' the K! by Kaspersky Labs[45]
  • Most Epic Fail: Debian's flawed OpenSSL Implementation (CVE-2008-0166)
  • Lifetime Achievement Award: Tim Newsham

2007

References

  1. Rashid, Fahmida Y. (August 2, 2011). "Pwnie Awards Nominees in 2011 Include Sony, Anonymous, LulzSec, WikiLeaks". eWeek. http://www.eweek.com/c/a/Security/Pwnie-Awards-in-2011-Include-Sony-Anonymous-LulzSec-WikiLeaks-113818/. 
  2. "I like how the wikipedia article for pwnie awards say the trophy "resembles" a my little pony. I have one physically in my hands and I can assure you it's literally an actual my little pony, they just spray paint it" (Tweet). 11 July 2023. https://twitter.com/0xabad1dea/status/1678852947940106240. "I like how the wikipedia article for pwnie awards say the trophy "resembles" a my little pony. I have one physically in my hands and I can assure you it's literally an actual my little pony, they just spray paint it" 
  3. 3.0 3.1 3.2 3.3 Buley, Taylor (July 30, 2009). "Twitter Gets 'Pwned' Again". Forbes. https://www.forbes.com/2009/07/30/pwnie-twitter-blackhat-technology-security-pwnie.html. 
  4. 4.0 4.1 4.2 4.3 4.4 4.5 4.6 Sutter, John D. (August 4, 2011). "Sony gets 'epic fail' award from hackers". CNN. http://www.cnn.com/2011/TECH/web/08/04/pwnie.awards.hacking/index.html. 
  5. @PwnieAwards (10 August 2022). "Our final nomination for Lamest Vendor Response goes to:Google TAG for “unilaterally shutting down a counterterrorism operation”.". https://twitter.com/PwnieAwards/status/1557268652197416966. 
  6. Goodin, Dan (2021-04-21). "In epic hack, Signal developer turns the tables on forensics firm Cellebrite". https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/. 
  7. Cox, Joseph; Franceschi-Bicchierai, Lorenzo (2021-04-27). "Cellebrite Pushes Update After Signal Owner Hacks Device". https://www.vice.com/en/article/qj8pjm/cellebrite-pushes-update-after-signal-owner-hacks-device. 
  8. Brazeal, Forrest. "The Ransomware Song". https://www.youtube.com/watch?v=d2dsI8NvdCU. 
  9. Tsai, Orange. "ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server!". https://www.blackhat.com/us-21/briefings/schedule/#proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server-23442. 
  10. "U/OO/104201-20 PP-19-0031 01/14/2020 National Security Agency | Cybersecurity Advisory 1 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers". https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF. 
  11. Göktaş, Enes; Razavi, Kaveh; Portokalidis, Georgios; Bos, Herbert; Giuffrida, Cristiano. "Speculative Probing: Hacking Blind in the Spectre Era". https://download.vusec.net/papers/blindside_ccs20.pdf. 
  12. Kolsek, Mitja. "Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)" (in en). https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html. 
  13. Alendal, Gunnar. "Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics". Black Hat. https://www.blackhat.com/us-21/briefings/schedule/#chip-chop---smashing-the-mobile-phone-secure-chip-for-fun-and-digital-forensics-23566. 
  14. "21Nails: Multiple vulnerabilities in Exim". Qualys. https://www.qualys.com/2021/05/04/21nails/21nails.txt. 
  15. "E-Soft MX survey". E-Soft Inc.. 1 March 2021. http://www.securityspace.com/s_survey/data/man.202102/mxsurvey.html. 
  16. Powertrace Rebekka Aigner, Daniel Gruss, Manuel Weber, Moritz Lipp, Patrick Radkohl, Andreas Kogler, Maria Eichlseder, ElTonno, tunefish, Yuki, Kater
  17. Tsai, Orange. "Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs!". https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa---pre-auth-rce-on-leading-ssl-vpns-15545. 
  18. "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second", Vectorized Emulation
  19. "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  20. 20.0 20.1 "Spectre Attacks: Exploiting Speculative Execution", Spectre
  21. 21.0 21.1 "Meltdown", Meltdown
  22. "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  23. "Important Statement from Bitfi", Bitfi Public Announcement
  24. "Pwnie for Most Innovative Research", Pwnie Awards
  25. "Pwnie for Best Privilege Escalation Bug", Pwnie Awards
  26. "The 2017 Pwnie Award For Lamest Vendor Response", Pwnie Awards
  27. Hello (From the Other Side) Manuel Weber, Michael Schwarz, Daniel Gruss, Moritz Lipp, Rebekka Aigner
  28. "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector", Erik Bosman et al.
  29. "DROWN: Breaking TLS using SSLv2" Nimrod Aviram et al.
  30. Cyberlier Katie Moussouris
  31. https://www.darkreading.com/vulnerabilities-threats/-will-it-blend-earns-pwnie-for-best-client-bug-opm-for-most-epic-fail
  32. https://j00ru.vexillium.org/slides/2015/recon.pdf
  33. https://www.kb.cert.org/vuls/id/552286
  34. "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice", Adrian David et al.
  35. "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  36. at 09:31, John Leyden 5 Oct 2012. "Experts troll 'biggest security mag in the world' with DICKish submission" (in en). https://www.theregister.co.uk/2012/10/05/hakin9_silliness/. 
  37. 37.0 37.1 37.2 37.3 37.4 37.5 37.6 Yin, Sara (July 26, 2012). "And Your 2012 Pwnie Award Winners Are...". SecurityWatch. PCMag. http://securitywatch.pcmag.com/none/300756-and-your-2012-pwnie-award-winners-are. 
  38. 38.0 38.1 38.2 38.3 38.4 Constantin, Lucian (July 26, 2012). "Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat". IDG-News-Service. PCWorld. http://www.pcworld.com/article/259916/flames_windows_update_hack_wins_pwnie_award_for_epic_ownage_at_black_hat.html. 
  39. 39.0 39.1 39.2 Sean Michael Kerner (July 25, 2012). "Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail". InternetNews.com. http://www.internetnews.com/blog/skerner/black-hat-pwnie-awards-go-to-flame-for-epic-pwnage-and-f5-for-epic-fail.html. 
  40. 40.0 40.1 40.2 40.3 40.4 40.5 40.6 40.7 Schwartz, Mathew J. (August 4, 2011). "Pwnie Award Highlights: Sony Epic Fail And More". InformationWeek. http://www.informationweek.com/security/attacks/pwnie-award-highlights-sony-epic-fail-an/231300255. 
  41. "Kernel Attacks through User-Mode Callbacks"
  42. "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  43. "Interpreter Exploitation Pointer Inference and JIT Spraying"
  44. 44.0 44.1 44.2 Brown, Bob (July 31, 2009). "Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards". NetworkWorld. http://www.networkworld.com/news/2009/073109-black-hat-pwnie-awards.html. 
  45. 45.0 45.1 45.2 Naone, Erica (August 7, 2008). "Black Hat's Pwnie Awards". MIT Technology Review. http://www.technologyreview.com/view/410571/black-hats-pwnie-awards/. 
  46. 46.0 46.1 46.2 46.3 46.4 46.5 Naraine, Ryan (August 2, 2007). "OpenBSD team mocked at first ever 'Pwnie' awards". ZDNet. http://www.zdnet.com/blog/security/openbsd-team-mocked-at-first-ever-pwnie-awards/418. 

External links