2008 Pwnie Award Nominees Announced

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"

Obligatory..

[nathan+s]

OMG PWNIESS!!!

Re:Obligatory..

[Nerdfest]

I can't believe I haven't heard that before. Maybe it's because I pronounce the P as an O ... I always thought 'pwn' was just the way it was spelled.

Re:Obligatory..

[nathan+s]

Oh, I used to hear it your way.

However, I think my hearing of the word was forever corrupted by the South Park episode where everyone was playing World of Warcraft.;) Worth watching if you haven't seen it, for chuckles.

Re:Obligatory..

[mightyQuin]

One of the best episodes ever, in my opinion. After reading this summary, I could hear Cartman saying, "you're about to get pwned".

Re:Obligatory..

[pwnies]

You called?

Re:Obligatory..

[prennix]

full episode here:
http://www.southparkstudios.com/episodes/103797/

Re:Obligatory..

[aldo.gs]

Reminds me of that comment when someone wrote "*Shakes little fist*" and then Little fist replied with "cut it out". Very surreal stuff, heh.

Re:Obligatory..

[colourmyeyes]

Jesus, that flash video player is abhorrent. Doesn't work for shit for me.

Re:Obligatory..

[Haeleth]

And whatever happened to New Here? :D

Pwned

Their web server has been pwned.

Re:Pwned

[Nos.]

Nominees

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

• NetWare kernel DCERPC stack buffer overflow

  Discovered by: Nicolas Pouvesle

  At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

  This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

• ClamAV Remote Command Execution (CVE-2007-4560)

  Discovered by: Nikolaos Rangos

  This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

• SQL Server 200

Re:Pwned

[The+Master+Control+P]

I'm glad I refreshed this page before posting that I managed to find out the categories before it succumbed. That would've been a self-own.

Re:Pwned

[Opyros]

Like models, hackers wear a lot of black, think they are more famous than they are, and their career effectively ends at age 30. Either way, upon entering one's third decade, it is time to put down the disassembler and consider a relaxing job in management.

Hate to nitpick, but one enters one's third decade upon turning 20!

Re:Pwned

[Trogre]

Nominees

        * Best Server-Side Bug [slashdot.org]
        * Best Client-Side Bug [slashdot.org]
        * Mass 0wnage [slashdot.org]
        * Most Innovative Research [slashdot.org]
        * Lamest Vendor Response [slashdot.org]
        * Most Overhyped Bug [slashdot.org]
        * Best Song [slashdot.org]
        * Most Epic FAIL [slashdot.org]
        * Lifetime Achievement Award [slashdot.org]

What, Slashdot.org is the sole nominee for all categories? Fair enough for most of them I guess, but best Song? Has CowboyNeal put out an album lately?

Re:Pwned

[xouumalperxe]

don't you mean 'pwnied'?

Re:Pwned

[xouumalperxe]

We're programmers here, we start at the zero-th decade, you noob.

Re:Pwned

[andy.ruddock]

OMG PWNED LOL !!!

Re:Pwned

[kalirion]

• Oded Horowitz

  Like Cher, Oded only needs to go by his first name. He is that much of a bad ass.

Well, why did they give his last name then?

Re:Pwned

[Hobbs114]

Hate to nitpick, but one enters one's third decade upon turning 20!

If you're going to nitpick, at least be accurate! Turning 20 is still in the second decade, you wouldn't enter your third decade until 20.000...001 years, Duh!

Consolidated Security News Site

Security watchers and pundits might also like to take a look at this security news portal.

AG.

I nominate

[spankymm]

Dan Kamikaze

Yeah, I know...

SdDOS

[jfroot]

Maybe they should give themselves an award as they appear to be pwned by the Slashdot effect.

Site seems to be PWNED

[kipin]

Did they nominate the slashdot effect as a security concern?

Re:Site seems to be PWNED

[jorgevillalobos]

Concern? Their collapsed server is now more secure than it has ever been!

Interesting

[Etrias]

What would be funny if someone found out where their "undisclosed location" would be and published it.

The Pwnies got PWNED!

Pwnd

Pwned Compilation

Slashdotted in under 10 minutes!

[russlar]

Did we just set some sort of record?

Re:Slashdotted in under 10 minutes!

no

Re:Slashdotted in under 10 minutes!

No, but if it has been in under 42 seconds, it would have been a new record.

Re:Slashdotted in under 10 minutes!

[rbb]

I wonder if that's worth a pwnie award as well :P

Re:Slashdotted in under 10 minutes!

[Jurily]

Remember that poor little C64?

Oh great. Now I've done it again.

does social hacking count?

Microsoft sure pwned the ISO when they got OOXML 'accepted' as a 'standard.'

Re:does social hacking count?

[nephridium]

Yes, it was a joke, but I still want to point out that "social hacking/engineering" and bribing/collusion are two very opposite things. While one employs some level of sophistication and utilizes positive human attributes such as intelligence and wit the other simply goes for the lowest common denominator and exploits negative human attributes such as greed and vanity.

Slashdotted in 8 minutes!!

[phoneteller]

I can't go to that site now, its down.

The newly-created 10th pwnie award goes to:

[mad_psych0]

http://pwnie-awards.org/ The /. effect wins the day once again.

anonymous coward

looks like their server has already been pwned by /.

Most EPIC fail, Windows Vista?

[djveer]

From the "Most Epic FAIL" section... "Windows Vista for proving that security does not sell $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements."

I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.

Re:Most EPIC fail, Windows Vista?

[jd]

Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.

I believe security can sell, but that paranoia and pestering won't. Mandatory access controls, role-based access controls and POSIX access control lists do not require pestering dialog. There are general-purpose operating systems rated A1 on the old Orange Book scale - the highest rating for host security you can get - and I doubt a single one requires massive user intervention to do anything more complex than Solitaire.

I would argue, then, that the article is wrong on Vista, that Vista is NOT the most secure offering from Microsoft because users stop trusting the security facility and are more likely to accidentally permit applications to do something stupid. You have to consider th wetware, and the wetware is very easily overloaded with trivia. Vista is only the most secure offering from Microsoft if nobody uses it.

Re:Most EPIC fail, Windows Vista?

The UAC prompts in Vista seem annoying because they make a bad first impression... a lot of what you're doing with a new or upgraded computer is installing and tweaking things.

Linux and Mac OS aren't really any different, I'm not sure why but they seem to get a bye on what is essentially the same thing (sudo GUI).

Re:Most EPIC fail, Windows Vista?

No kidding. This needs to be modded as high as it can go: Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

How the fuck should I know?!

I mean, really, has anyone actually looked at those prompts? I consider myself fairly computer literate, but the prompts confuse me. I have no idea what they're asking about.

Consider going to a car mechanic, and being told "we need access to your car, cancel or allow?" Do you allow them to have access? After all, they need access to your car to fix it. But do you trust them?

In real life, you might do research on that. But you can't research the prompts in Vista. They're system modal. (Really. Microsoft themselves killed system modal mode in Windows 2000 only to reintroduce it in Vista.) So you can't go and look up if SMENTTYN.EXE is something you need to allow to access C:\WINDOWS or is something that shouldn't.

(And what, exactly, does "access C:\WINDOWS" mean? Read something? Write something? Execute something? Who knows!)

So instead most users just get fed up and Allow everything.

And when they get pwned by a trojan horse that they never thought to question, Microsoft can honestly say that Windows didn't let it in: the user did by clicking "allow."

Ignoring the fact that the user wasn't given enough information to make an informed decision and that Vista doesn't allow the user to do anything else until they've answered the question.

Vista provides the illusion of security, but it's actually less secure than XP, since it conditions users to blindly allow everything they're asked to do until they get fed up and learn how to disable the security entirely. At least XP only asked Cancel or Allow when running executables downloaded from the Internet instead of just about everything.

Re:Most EPIC fail, Windows Vista?

[bluefoxlucid]

There are general-purpose operating systems rated A1 on the old Orange Book scale

A GPO that got a mathematical review? Like, reduced to a discrete graph and proven to function as predicted in all cases mathematically possible?

Re:Most EPIC fail, Windows Vista?

[Pr0xY]

Agreed...

However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?

Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.

I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.

I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.

So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...

I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.

Re:Most EPIC fail, Windows Vista?

[beav007]

Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.

Want to know exactly how true this is?

Hands up if you know what "EnableBalloonTips" is, and what it does.

Re:Most EPIC fail, Windows Vista?

Hands up if you know what "EnableBalloonTips" is, and what it does.

I'll bite. It sounds like something it enables balloon tips.

(Bear in mind I have never, in more than ten years of playing with computers (holy shit, did I get old?!), run Windows for more than a couple weeks. I'll freely admit to ignorance on the little things... as an AC. :-))

Re:Most EPIC fail, Windows Vista?

[jd]

That is entirely correct. AESEC makes the claim that: "GEMSOS is the only general-purpose kernel in the world rated Class A1: Verified Protection by the National Security Agency."

The other place you want to check is the paper on security kernels. This describes how to reach A1 (CC7) without having to prove the entire OS.

Re:Most EPIC fail, Windows Vista?

[Geak]

Very poorly implemented. The majority of people who use computers are completely computer illiterate. Most times I'm suprised they can figure out how to do something as technical as breathing. Anyway, what I'm getting at is they wouldn't know WTF "privileged" means in computer terms, even after consulting a dictionary.

The dialog should just say, "You are about to give a program permission to do whatever the fuck it wants to your computer, including INFECT IT WITH A VIRUS if it so chooses!!!! Unless you know 100% that the program is safe to run, or at least know how to fix ANY problem if it occurs, I strongly suggest you PROMPTLY CLICK NO!!!!". If they click the yes button they should be prompted for their windows product key, twice.

This might discourage people from clicking yes to everything. It may also discourage software companies from writing software that requires admin access. Better yet, it may encourage people who don't know how to use a computer to not use one. Then they can go back to using crayons, paper, envelopes and stamps to send an email.

Re:Most EPIC fail, Windows Vista?

[jotok]

However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

Not disagreeing with you here, but cite your sources (I could use data like that).

Re:Most EPIC fail, Windows Vista?

[T.E.D.]

Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

Only if you are running as root. (I renamed "administrator" to "root" on my Vista box to avoid confusion.) Comparing apples with apples, what does my Debian box do when I'm running as root and a program wants to change something secured? Generally, it just lets the program do it with no warning whatsoever.

Of course running general programs as root is considered stoopid (beyond "stupid"). So lets pretend we are smart and don't run as root. Then we run a program that needs root to accomplish something. On my Debian box either the program fails, or I get a password prompt for the root account. Continuing with this radical concept of comparing apples to apples: doing the same on my Vista box gives me....the exact same result. Some programs fail, some (perhaps most) give me a password prompt for the root account.

What really used to make Windows boxes so insecure was that it was such a PITA to elevate to root privs on the occasions you needed it that nobody bothered running any other way, despite the insane security risk. This is what Vista fixed.

ZDNet has more info.

[MRe_nl]

As their own site seems down, some more info here
http://blogs.zdnet.com/security/?p=1519

Everyone hates Pwnie

Always getting high. And the constant reminders "Don't forget to bring security!" are annoying.

coral cache link

Thanks for slashdotting my poor little server on a DSL line :-)

Try this: http://pwnie-awards.org.nyud.net/2008/awards.html

Alexander Sotirov
Pwnie Awards

Re:coral cache link

[russlar]

Can we nominate you for a Pwnie Award for hosting a server on a DSL line?

Re:coral cache link

Pwnied!!!

Re:coral cache link

Can we nominate you for a Pwnie Award for hosting a server on a DSL line?

Sure, but I doubt you'll be able to get to the site to submit the nomination :-)

I didn't expect to get Slashdotted. Last year I submitted a link to the awards and it didn't even make it to the front page, so I figured that nobody outside of the security industry cared.

Alexander Sotirov
Pwnie Awards

Re:coral cache link

[GaryOlson]

And for not posting relevant "News for Nerds", we pwned CmdrTaco at his anniversary party. Ask him for the pictures!

Where!?

[Bloater]

The next step for the Pwnie Awards judges will gather in an undisclosed location

So how will they know where to go?

Life Lock Nomination

[wiz31337]

I don't know if anyone else saw it but, Life Lock's very own CEO Todd Davis was nominated for a Pwnie for his brilliant idea to publicize his SSN.

Someone was able to use his info to get a $500 fast cash loan.

Not the most techie Pwnie but funny nonetheless.

Undisclosed location?

[Pincus]

Count me in.

My employer...

Posting anonymously for obvious reasons...

My employer recently released a new "security measure" where our software phones home during installation (and ONLY during installation) to ensure the license key is valid (it has to be pre-generated on the server, avoiding the possibility for key generators).
However, the code to do so is a very easy to "decompile" .NET assembly (not even obfuscated, and with REALLY obvious method and property names) - it took me literally about 15 minutes to make a new version of the DLL that doesn't phone home, and just returns true under all conditions. (I make no claim to any skill for doing this - what I do make a claim to is that it's ridiculously simple for pretty much anyone to do)

I hereby nominate my employer for implementing the most insecure security method EVER.

Note #1: We used to have NO security, and the security was added later to try and stop "evil pirates". I dislike adding this security to our products, but it just seems a little pointless to go through the expense and hassle if it's so easily circumvented!
Note #2: I'll be making a full report of this to the appropriate people, including the obvious measures on how to mitigate the problem, so future versions won't be so bad.
Note #3: We're a large company, so have multiple development teams for different things - this FUBAR was NOT related to my team!

Re:My employer...

[HTH+NE1]

I worked at a web design company (now defunct) where the standard way to handle forms data submitted via a secure socket layer was to e-mail them unencrypted to the client's mailbox, which was often an AOL.com address.

And one client (a historical society site) who was quoted too low a price for a hosting plan with SSL had his forms hosted on another client's site (which sold lingerie, massage oils, candles, and Beanie Babies) that did have SSL, and those forms contained credit card information. A frameset was employed to hide the domain disparity. I at least succeeded in insisting that the information be retrieved by sftp instead of being e-mailed, though I suspect they had someone in-house sftp it and then manually e-mail it after I'd left.

Other incompetence included replacing the text alternative links for a server-side imagemap with another server-side imagemap (in order to control the fragile layout across all (i.e. "both") browsers) and encasing the company website in a frameset constraining the content to a 640x480 pane.

Everything they did was done using NetObjects Fusion, which produced excessively bloated nested tables to achieve WYSIWYG fixed layout. I personally recoded the front page of one site by hand and reduced HTML markup size to one eighth of its original size and image weight by far more, simply by replacing nested fixed-table-layout code with a client-side imagemap, something NOF should have been able to do itself.

Doh!

[ActusReus]

A "404 Not Found" page? Dummies... you should link to a DESCRIPTION of the bugs, not link to the actual bugs themselves!

Oops, the page is just Slashdotted. Nevermind.

A new category?

How about a category for "Biggest Twats in Computing"? They could just select five people at random from attendance and hit the sweet spot, ya know.

Re:A new category?

I'm sure they could improve their accuracy over that. If you're busy, these guys could nominate themselves. Pwnies, ha! Not exactly el8 is it?

Re:A new category?

[AlterRNow]

Not exactly making proud or joyful? :) I do believe that that wasn't the word you were looking for.

Do I win?

[pwnies]

Do I win?

Re:Do I win?

[CRiyl]

No, you need 2007 more of you to count. ;-)

We are now unslashdotted...

[dinodaizovi]

We quickly moved the site to a server with real bandwidth. So slashdot away!

Cheers,

Dino Dai Zovi
Pwnie Awards

A couple I found interesting

[Trogre]

Pwnie for Most Overhyped Bug

            Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)

            Dan Kaminsky

            Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.

Lamest Vendor Reponse

            Linus Torvalds

            Linux kernel non-disclosure policy

            Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security isses by defending silent patching of security vulnerabilities in the Linux kernel:

So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.

            Adding insult to injury:

            Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

            It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.

Re:A couple I found interesting

[ibsteve2u]

Have to agree with Torvalds...where would security vendors be, if they hadn't created the continuing, job-securing sport of "Look what you can do with this unpatched bug!"?

Re:Fail but not for security.

Ha ha, he called M$ people "special".

Moderators: Please note

"Freenix" and all the replies below are the same person.

Including the AC one, which is used to increase visibility to his posts, which are all at -1 for trolling.