Pwnie Awards for Heartbleed, “goto fail”, Mt. Gox

Pwnie Awards

Pwnie AwardsThe Pwnie Awards, named after the hacker vernacular “pwn”, for “to own”, “to control” or “to compromise,” has been recognizing information security excellence and ignominy since 2007.

There is a trophy involved.

It’s a golden My Little Pony toy with a Black Hat logo plastered on its behind.

This year, on Wednesday night’s awards ceremony at Black Hat 2014, Heartbleed, “goto fail” and Mt. Gox were just a few of the security issues that received acknowledgement for spectacular pwnage, stellar achievement on the part of researchers, and/or head-smackery for lame-o vendor responses, among other categories.

The judges: a star-spangled panel of security researchers, featuring Dino Dai Zovi, Justine Aitel, Mark Dowd, Alexander Sotirov, Brandon Edwards, Christopher Valasek, and HD Moore.

Without further ado, here’s the herd of this year’s Pwnies:

Best Server-Side Bug: Heartbleed.

Naked Security’s Mark Stockley called it a crack in one of the hefty pillars of software infrastructure that support the internet itself.

First showing up in April, the buffer overflow bug fatally fissured the immensely popular encryption mechanism of the OpenSSL library.

That meant that the software almost everyone was using to secure secret things like passwords, session keys and private data was instead actively disgorging secret things like passwords, session keys and private data.

In terms of its merchandising chic, the judges noted that Heartbleed was a “cool bug” that started the trend of slapping names, websites and logos onto vulnerabilities.

Best Client-Side Bug: Google Chrome Arbitrary Memory Read-Write Vulnerability, credited to 24-year-old George Hotz, also known as Geohot.

The nominations page notes that Geohot won for his work on this flaw in the Google Chrome operating system “by chaining together four vulnerabilities, starting with a logic flaw in Chrome that let him read and write arbitrary memory.”

Best Privilege Escalation Bug: AFD.sys Dangling Pointer Vulnerability, credited to Sebastian Apelt.

The judges said the exploit is “a great example of using a kernel exploit to escape the Internet Explorer 11 sandbox on Windows 8.1.”

Most Innovative Research: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis, credited to Daniel Genkin, Adi Shamir, Eran Tromer.

The judges called the research “fascinating.”

As Naked Security’s Paul Ducklin described when the researchers’ paper came out in late 2013, the researchers discovered that RSA key material could be extracted by using the sound generated by a computer during the decryption of some chosen ciphertexts.

The attack could be carried out with either a plain mobile phone placed next to a computer or a more sensitive microphone placed four meters away, to extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour.

Lamest Vendor Response: AVG, who was awarded for the most spectacular mishandling of vulnerabilities, after rechristening security weaknesses as being “by design”.

AVG even beat the nominee “Daniel” from Open Cert, who replied to a researcher’s request for the appropriate email address for vulnerability disclosures with this memorable (and NSFW) comeback:

it was not ignored d*ck head why lie! are you a professional or not? professionals don't need to lie to prove a point they use facts!

Most Epic Fail: Apple “goto fail”.

Apple’s “goto fail” featured not one, but two “goto fails” – i.e., SSL flaws in OS X caused by a line of C code that says “goto fail” – that could have allowed attackers to eavesdrop on a target’s communications, including email, FaceTime video conversations, and Find My Mac tracking information.

The judges forgave Apple’s obvious sucking-up, they said, noting that typically, they don’t…

... take kindly to "Pwnie Bait" vulnerabilities that have been introduced and named just to earn the coveted Epic FAIL Pwnie, but we'll let this one slide, Apple.

Most Epic 0wnage: Mt. Gox.

This Pwnie goes for a mountain’s worth of chutzpah. Mt. Gox, formerly the world’s biggest Bitcoin exchange, pumped up the price of BTC way over competing exchanges and then spiraled down the flusher, taking hundreds of millions of dollars with it.

The Gox refused to issue cash or Bitcoin withdrawals, claiming it had been hacked.

Attackers seized control of the CEO’s personal blog and accused him of stealing 100,000 Bitcoins.

From the judges:

...analysis points to [Mt. Gox CEO Mark Karpelès] either being the dumbest developer in the history of mankind or complicit in the theft of Mt. Gox user's funds.

And last but most certainly not least, the musical award goes to…

Best song. 0xabad1dea’s SSL Smiley Song, sung to the tune of “Jingle Bells”:

Dashing through the cloud

On a ten gigabit link

One packet in a crowd

Falls into the data sink!

The news means that Certified Information Systems Security Professionals, also known as CISSPs, also known as the Gods of certification, are going to have to suck it up and deal, given that her song beat out Host Unknown’s I’m a C I Double S P.

Sorry. Each one of you is still

an f'n C I double S P!

…as far as we’re concerned!

Congratulations (or, sorry), winners!