2008 Pwnie Award Nominees Announced 74
ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"
Obligatory.. (Score:5, Funny)
OMG PWNIESS!!!
Re: (Score:3, Funny)
Re: (Score:2)
Oh, I used to hear it your way.
However, I think my hearing of the word was forever corrupted by the South Park episode where everyone was playing World of Warcraft.;) Worth watching if you haven't seen it, for chuckles.
Re: (Score:1)
Re: (Score:1)
http://www.southparkstudios.com/episodes/103797/ [southparkstudios.com]
Re: (Score:2)
Re:Obligatory.. (Score:5, Funny)
Re: (Score:3, Funny)
Re: (Score:2)
And whatever happened to New Here? :D
Pwned (Score:5, Funny)
Their web server has been pwned.
Re:Pwned (Score:5, Informative)
Nominees
We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.
The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.
Pwnie for Best Server-Side Bug
Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.
Windows IGMP kernel vulnerability (CVE-2007-0069 [mitre.org])
Discovered by: Alex Wheeler and Ryan Smith
Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability [iss.net] that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim [technet.com] that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit [immunitysec.com] for this vulnerability.
NetWare kernel DCERPC stack buffer overflow
Discovered by: Nicolas Pouvesle
At REcon 2008, Nicolas Pouvesle demonstrated [recon.cx] some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.
This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.
ClamAV Remote Command Execution (CVE-2007-4560 [mitre.org])
Discovered by: Nikolaos Rangos
This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law [wikipedia.org] clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.
SQL Server 200
Re: (Score:2)
Doh! (Score:1)
Oops, the page is just Slashdotted. Nevermind.
Re: (Score:1)
Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.
Hate to nitpick, but one enters one's third decade upon turning 20!
Re:Pwned (Score:4, Funny)
Re: (Score:1)
Re: (Score:1)
Hate to nitpick, but one enters one's third decade upon turning 20!
If you're going to nitpick, at least be accurate! Turning 20 is still in the second decade, you wouldn't enter your third decade until 20.000...001 years, Duh!
Re: (Score:2)
Nominees
* Best Server-Side Bug [slashdot.org]
* Best Client-Side Bug [slashdot.org]
* Mass 0wnage [slashdot.org]
* Most Innovative Research [slashdot.org]
* Lamest Vendor Response [slashdot.org]
* Most Overhyped Bug [slashdot.org]
* Best Song [slashdot.org]
* Most Epic FAIL [slashdot.o
Re: (Score:2)
Like Cher, Oded only needs to go by his first name. He is that much of a bad ass.
Well, why did they give his last name then?
Re: (Score:2)
Consolidated Security News Site (Score:3, Insightful)
Security watchers and pundits might also like to take a look at this security news portal [360is.com].
AG.
SdDOS (Score:2, Redundant)
Maybe they should give themselves an award as they appear to be pwned by the Slashdot effect.
Site seems to be PWNED (Score:1, Redundant)
Re:Site seems to be PWNED (Score:5, Funny)
Interesting (Score:1, Troll)
The Pwnies got PWNED!
Slashdotted in under 10 minutes! (Score:5, Funny)
Re: (Score:2, Funny)
Re: (Score:2)
I wonder if that's worth a pwnie award as well :P
Re: (Score:2)
Remember that poor little C64 [slashdot.org]?
Oh great. Now I've done it again.
does social hacking count? (Score:4, Funny)
Microsoft sure pwned the ISO when they got OOXML 'accepted' as a 'standard.'
Re: (Score:2)
The newly-created 10th pwnie award goes to: (Score:1, Redundant)
Most EPIC fail, Windows Vista? (Score:5, Insightful)
I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.
Re:Most EPIC fail, Windows Vista? (Score:5, Interesting)
Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.
I believe security can sell, but that paranoia and pestering won't. Mandatory access controls, role-based access controls and POSIX access control lists do not require pestering dialog. There are general-purpose operating systems rated A1 on the old Orange Book scale - the highest rating for host security you can get - and I doubt a single one requires massive user intervention to do anything more complex than Solitaire.
I would argue, then, that the article is wrong on Vista, that Vista is NOT the most secure offering from Microsoft because users stop trusting the security facility and are more likely to accidentally permit applications to do something stupid. You have to consider th wetware, and the wetware is very easily overloaded with trivia. Vista is only the most secure offering from Microsoft if nobody uses it.
Re: (Score:1, Interesting)
The UAC prompts in Vista seem annoying because they make a bad first impression... a lot of what you're doing with a new or upgraded computer is installing and tweaking things.
Linux and Mac OS aren't really any different, I'm not sure why but they seem to get a bye on what is essentially the same thing (sudo GUI).
Re:Most EPIC fail, Windows Vista? (Score:4, Interesting)
No kidding. This needs to be modded as high as it can go: Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.
UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"
How the fuck should I know?!
I mean, really, has anyone actually looked at those prompts? I consider myself fairly computer literate, but the prompts confuse me. I have no idea what they're asking about.
Consider going to a car mechanic, and being told "we need access to your car, cancel or allow?" Do you allow them to have access? After all, they need access to your car to fix it. But do you trust them?
In real life, you might do research on that. But you can't research the prompts in Vista. They're system modal. (Really. Microsoft themselves killed system modal mode in Windows 2000 only to reintroduce it in Vista.) So you can't go and look up if SMENTTYN.EXE is something you need to allow to access C:\WINDOWS or is something that shouldn't.
(And what, exactly, does "access C:\WINDOWS" mean? Read something? Write something? Execute something? Who knows!)
So instead most users just get fed up and Allow everything.
And when they get pwned by a trojan horse that they never thought to question, Microsoft can honestly say that Windows didn't let it in: the user did by clicking "allow."
Ignoring the fact that the user wasn't given enough information to make an informed decision and that Vista doesn't allow the user to do anything else until they've answered the question.
Vista provides the illusion of security, but it's actually less secure than XP, since it conditions users to blindly allow everything they're asked to do until they get fed up and learn how to disable the security entirely. At least XP only asked Cancel or Allow when running executables downloaded from the Internet instead of just about everything.
Re: (Score:3, Insightful)
Only if you are running as root. (I renamed "administrator" to "root" on my Vista box to avoid confusion.) Comparing apples with apples, what does my Debian box do when I'm running as root and a program wants to change something secured? Generally, it just lets the program d
Re: (Score:3, Insightful)
There are general-purpose operating systems rated A1 on the old Orange Book scale
A GPO that got a mathematical review? Like, reduced to a discrete graph and proven to function as predicted in all cases mathematically possible?
Re:Most EPIC fail, Windows Vista? (Score:4, Informative)
The other place you want to check is the paper on security kernels [usenix.org]. This describes how to reach A1 (CC7) without having to prove the entire OS.
Re:Most EPIC fail, Windows Vista? (Score:5, Insightful)
Agreed...
However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.
This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?
Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.
I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.
I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.
So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...
I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.
Re: (Score:2, Funny)
The dialog should just say, "You are about to give a program permission to do whatever the fuck it wants to your computer, including INFECT IT WITH A VIRUS if it so chooses!!!! Unless y
Re: (Score:2)
Not disagreeing with you here, but cite your sources (I could use data like that).
Re: (Score:2)
ZDNet has more info. (Score:3, Informative)
As their own site seems down, some more info here
http://blogs.zdnet.com/security/?p=1519 [zdnet.com]
coral cache link (Score:5, Informative)
Thanks for slashdotting my poor little server on a DSL line :-)
Try this: http://pwnie-awards.org.nyud.net/2008/awards.html [nyud.net]
Alexander Sotirov
Pwnie Awards
Re:coral cache link (Score:5, Funny)
Re: (Score:3, Funny)
Can we nominate you for a Pwnie Award for hosting a server on a DSL line?
Sure, but I doubt you'll be able to get to the site to submit the nomination :-)
I didn't expect to get Slashdotted. Last year I submitted a link to the awards and it didn't even make it to the front page, so I figured that nobody outside of the security industry cared.
Alexander Sotirov
Pwnie Awards
Re: (Score:2)
Where!? (Score:2)
The next step for the Pwnie Awards judges will gather in an undisclosed location
So how will they know where to go?
Life Lock Nomination (Score:4, Informative)
I don't know if anyone else saw it but, Life Lock's very own CEO Todd Davis was nominated for a Pwnie for his brilliant idea to publicize his SSN.
Someone was able to use his info to get a $500 fast cash loan.
Not the most techie Pwnie but funny nonetheless.
My employer... (Score:1, Funny)
Posting anonymously for obvious reasons...
My employer recently released a new "security measure" where our software phones home during installation (and ONLY during installation) to ensure the license key is valid (it has to be pre-generated on the server, avoiding the possibility for key generators). .NET assembly (not even obfuscated, and with REALLY obvious method and property names) - it took me literally about 15 minutes to make a new version of t
However, the code to do so is a very easy to "decompile"
Re: (Score:2)
I worked at a web design company (now defunct) where the standard way to handle forms data submitted via a secure socket layer was to e-mail them unencrypted to the client's mailbox, which was often an AOL.com address.
And one client (a historical society site) who was quoted too low a price for a hosting plan with SSL had his forms hosted on another client's site (which sold lingerie, massage oils, candles, and Beanie Babies) that did have SSL, and those forms contained credit card information. A frameset w
Re: (Score:1)
Do I win? (Score:5, Funny)
Re:Do I win? (Score:5, Funny)
We are now unslashdotted... (Score:5, Informative)
Cheers,
Dino Dai Zovi
Pwnie Awards
A couple I found interesting (Score:4, Informative)
Pwnie for Most Overhyped Bug
Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)
Dan Kaminsky
Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.
Lamest Vendor Reponse
Linus Torvalds
Linux kernel non-disclosure policy
Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security isses by defending silent patching of security vulnerabilities in the Linux kernel:
So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.
Adding insult to injury:
Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.
It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.