2008 Pwnie Award Nominees Announced

ruphus13 writes "The Pwnie Awards, an 'annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community' announced their 2008 nominees. From their site, 'The final list of nominees for the nine Pwnie Award categories is finally published. We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners.'"

Obligatory..

[nathan+s]

OMG PWNIESS!!!

Re:Obligatory..

[Nerdfest]

I can't believe I haven't heard that before. Maybe it's because I pronounce the P as an O ... I always thought 'pwn' was just the way it was spelled.

Re:Obligatory..

[pwnies]

You called?

Re:Obligatory..

[aldo.gs]

Reminds me of that comment when someone wrote "*Shakes little fist*" and then Little fist replied with "cut it out". Very surreal stuff, heh.

Pwned

Their web server has been pwned.

Re:Pwned

[Nos.]

Nominees

• Best Server-Side Bug
• Best Client-Side Bug
• Mass 0wnage
• Most Innovative Research
• Lamest Vendor Response
• Most Overhyped Bug
• Best Song
• Most Epic FAIL
• Lifetime Achievement Award

We received 134 submissions for the Pwnie Awards, of which we've selected 37 nominees. Please select an award category from the list above to see the nominees.

The winners of the Pwnie Awards will be anounced on August 6, 2008 at a ceremony at the BlackHat USA conference in Las Vegas.

Pwnie for Best Server-Side Bug

Awarded to the person who discovered the most technically sophisticated and interesting server-side bug. This includes any software that is accessible remotely without using user interaction.

• Windows IGMP kernel vulnerability (CVE-2007-0069)

  Discovered by: Alex Wheeler and Ryan Smith

  Not only did Alex Wheeler and Ryan Smith lay claim to a lucky CVE number, they also laid down the law with a remote kernel code execution vulnerability that was exploitable in the default firewall configuration on Windows XP, 2003 and Vista. Despite the SWI team's claim that its exploitation is "unlikely in real-world conditions", Kostya Kortchinsky was able to develop a highly reliable exploit for this vulnerability.

• NetWare kernel DCERPC stack buffer overflow

  Discovered by: Nicolas Pouvesle

  At REcon 2008, Nicolas Pouvesle demonstrated some amazing NetWare-Fu with his kernel exploitation techniques and staged payloads for a stack overflow in the DCERPC stack in the NetWare kernel. Besides impressing everyone at the conference (not to mention all of the Quebecois women around Montreal), he also struck fear into the hearts of NetWare administrators everywhere. All three of them.

  This vulnerability also shows how there can often be similar vulnerabilities in different implementations of the same functionality. And when a vulnerability in one implementation is found and fixed, similar bugs in other implementations may go unnoticed for a while. What does it take to make a vendor like Novell audit their DCERPC code for simple vulnerabilities? A widespread worm exploiting a stack overflow in the Microsoft DCERPC stack, crippling large portions of the Internet, and supposedly causing a blackout of the entire East Coast of the USA? Apparently not.

• ClamAV Remote Command Execution (CVE-2007-4560)

  Discovered by: Nikolaos Rangos

  This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus's Law clearly does hold: "Given enough eyeballs, all bugs shallow", even the ones that we knew about fifteen years ago.

• SQL Server 200

Re:Pwned

[xouumalperxe]

We're programmers here, we start at the zero-th decade, you noob.

Consolidated Security News Site

Security watchers and pundits might also like to take a look at this security news portal.

AG.

Slashdotted in under 10 minutes!

[russlar]

Did we just set some sort of record?

Re:Slashdotted in under 10 minutes!

no

does social hacking count?

Microsoft sure pwned the ISO when they got OOXML 'accepted' as a 'standard.'

Most EPIC fail, Windows Vista?

[djveer]

From the "Most Epic FAIL" section... "Windows Vista for proving that security does not sell $100,000,000 invested in security and what does Microsoft have to show for it? Customers are revolting against Windows Vista and nobody who has a choice is chosing to upgrade. It doesn't matter that Vista really is the most secure Microsoft operating system ever made, all customers care about is the annoyance of the UAC prompts, the confusing user interface and the insane hardware requirements."

I can agree with that completely. Windows Vista is significantly better for security than it's predecessor and had fewer vulnerabilities in the first year of release. However if people are so frustrated by the usability, hardware requirements, and confusing UAC prompts that they don't want to touch it with a 10-foot pole, that sort of seems like they're heading the wrong direction to me. They should be concentrating on making it more secure without direct user intervention.

Re:Most EPIC fail, Windows Vista?

[jd]

Way back in the mists of time, part of my University training was on Human-Computer Interfaces and how not to design them. One of the first things we were told about was excessive alerts and excessive confirmations. It just causes the user to be desensitized to those things that are important, and they end up hitting the given key or clicking the necessary box without really reading any of the dialog presented. This actually worsens security. Especially if there's any way to silence such warnings, by disabling them for example, or having a utility that injects a confirmation into the module that handles the dialog.

I believe security can sell, but that paranoia and pestering won't. Mandatory access controls, role-based access controls and POSIX access control lists do not require pestering dialog. There are general-purpose operating systems rated A1 on the old Orange Book scale - the highest rating for host security you can get - and I doubt a single one requires massive user intervention to do anything more complex than Solitaire.

I would argue, then, that the article is wrong on Vista, that Vista is NOT the most secure offering from Microsoft because users stop trusting the security facility and are more likely to accidentally permit applications to do something stupid. You have to consider th wetware, and the wetware is very easily overloaded with trivia. Vista is only the most secure offering from Microsoft if nobody uses it.

Re:Most EPIC fail, Windows Vista?

No kidding. This needs to be modded as high as it can go: Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

How the fuck should I know?!

I mean, really, has anyone actually looked at those prompts? I consider myself fairly computer literate, but the prompts confuse me. I have no idea what they're asking about.

Consider going to a car mechanic, and being told "we need access to your car, cancel or allow?" Do you allow them to have access? After all, they need access to your car to fix it. But do you trust them?

In real life, you might do research on that. But you can't research the prompts in Vista. They're system modal. (Really. Microsoft themselves killed system modal mode in Windows 2000 only to reintroduce it in Vista.) So you can't go and look up if SMENTTYN.EXE is something you need to allow to access C:\WINDOWS or is something that shouldn't.

(And what, exactly, does "access C:\WINDOWS" mean? Read something? Write something? Execute something? Who knows!)

So instead most users just get fed up and Allow everything.

And when they get pwned by a trojan horse that they never thought to question, Microsoft can honestly say that Windows didn't let it in: the user did by clicking "allow."

Ignoring the fact that the user wasn't given enough information to make an informed decision and that Vista doesn't allow the user to do anything else until they've answered the question.

Vista provides the illusion of security, but it's actually less secure than XP, since it conditions users to blindly allow everything they're asked to do until they get fed up and learn how to disable the security entirely. At least XP only asked Cancel or Allow when running executables downloaded from the Internet instead of just about everything.

Re:Most EPIC fail, Windows Vista?

[bluefoxlucid]

There are general-purpose operating systems rated A1 on the old Orange Book scale

A GPO that got a mathematical review? Like, reduced to a discrete graph and proven to function as predicted in all cases mathematically possible?

Re:Most EPIC fail, Windows Vista?

[Pr0xY]

Agreed...

However, one thing to keep in mind is that currently the vast majority of "owned" windows boxes, were not infected by an remote exploit, but were infected by trojan horses.

This poses an interesting and hard problem for Microsoft (i'm not trying to defend them, but i do believe in being fair). The issue is, how the heck do you prevent the installation of malware if the user ASKED for it to be installed?

Windows defender actually does a pretty good job here. It's not perfect, but nothing is. UAC is an "ok" solution and to be honest, not too different from Ubunut's password prompt during privileged operations.

I think Microsoft got the "right idea" with UAC, but the implementation of it went very wrong. Primarily due to the coarse granularity of what is "privileged." It's a tough thing to get right, and the *nix world has an advantage in this category, namely that the users are *used* to things like sudo and su to do things that are privileged.

I've seen plenty of Windows users complaining on forums about UAC with things like "why the heck do I need a UAC prompt for just changing the time?!?" They simply don't get that anything that could potentially have an effect on other users of the system is an "admin" task.

So all in all, I think Vista is better, but is simply a tough pill to swallow for the users who simply don't care or don't get security concepts...

I think something better with UAC would be something like: "You are about to install something, would you like it to be installed for the current user or every user on the system?" Default to current user, and if they pick "every user" ask them for a password then.

Re:Most EPIC fail, Windows Vista?

[jd]

That is entirely correct. AESEC makes the claim that: "GEMSOS is the only general-purpose kernel in the world rated Class A1: Verified Protection by the National Security Agency."

The other place you want to check is the paper on security kernels. This describes how to reach A1 (CC7) without having to prove the entire OS.

Re:Most EPIC fail, Windows Vista?

[Geak]

Very poorly implemented. The majority of people who use computers are completely computer illiterate. Most times I'm suprised they can figure out how to do something as technical as breathing. Anyway, what I'm getting at is they wouldn't know WTF "privileged" means in computer terms, even after consulting a dictionary.

The dialog should just say, "You are about to give a program permission to do whatever the fuck it wants to your computer, including INFECT IT WITH A VIRUS if it so chooses!!!! Unless you know 100% that the program is safe to run, or at least know how to fix ANY problem if it occurs, I strongly suggest you PROMPTLY CLICK NO!!!!". If they click the yes button they should be prompted for their windows product key, twice.

This might discourage people from clicking yes to everything. It may also discourage software companies from writing software that requires admin access. Better yet, it may encourage people who don't know how to use a computer to not use one. Then they can go back to using crayons, paper, envelopes and stamps to send an email.

Re:Most EPIC fail, Windows Vista?

[T.E.D.]

Windows Vista is NOT the most secure Windows ever. It just dumps the security concerns onto a user who has no clue what to do with them.

UAC prompts are the most useless things ever. "Something is trying to do something. Cancel or Allow?"

Only if you are running as root. (I renamed "administrator" to "root" on my Vista box to avoid confusion.) Comparing apples with apples, what does my Debian box do when I'm running as root and a program wants to change something secured? Generally, it just lets the program do it with no warning whatsoever.

Of course running general programs as root is considered stoopid (beyond "stupid"). So lets pretend we are smart and don't run as root. Then we run a program that needs root to accomplish something. On my Debian box either the program fails, or I get a password prompt for the root account. Continuing with this radical concept of comparing apples to apples: doing the same on my Vista box gives me....the exact same result. Some programs fail, some (perhaps most) give me a password prompt for the root account.

What really used to make Windows boxes so insecure was that it was such a PITA to elevate to root privs on the occasions you needed it that nobody bothered running any other way, despite the insane security risk. This is what Vista fixed.

ZDNet has more info.

[MRe_nl]

As their own site seems down, some more info here
http://blogs.zdnet.com/security/?p=1519

coral cache link

Thanks for slashdotting my poor little server on a DSL line :-)

Try this: http://pwnie-awards.org.nyud.net/2008/awards.html

Alexander Sotirov
Pwnie Awards

Re:coral cache link

[russlar]

Can we nominate you for a Pwnie Award for hosting a server on a DSL line?

Re:coral cache link

Can we nominate you for a Pwnie Award for hosting a server on a DSL line?

Sure, but I doubt you'll be able to get to the site to submit the nomination :-)

I didn't expect to get Slashdotted. Last year I submitted a link to the awards and it didn't even make it to the front page, so I figured that nobody outside of the security industry cared.

Alexander Sotirov
Pwnie Awards

Life Lock Nomination

[wiz31337]

I don't know if anyone else saw it but, Life Lock's very own CEO Todd Davis was nominated for a Pwnie for his brilliant idea to publicize his SSN.

Someone was able to use his info to get a $500 fast cash loan.

Not the most techie Pwnie but funny nonetheless.

Re:Site seems to be PWNED

[jorgevillalobos]

Concern? Their collapsed server is now more secure than it has ever been!

Do I win?

[pwnies]

Do I win?

Re:Do I win?

[CRiyl]

No, you need 2007 more of you to count. ;-)

We are now unslashdotted...

[dinodaizovi]

We quickly moved the site to a server with real bandwidth. So slashdot away!

Cheers,

Dino Dai Zovi
Pwnie Awards

A couple I found interesting

[Trogre]

Pwnie for Most Overhyped Bug

            Unspecified DNS cache poisoning vulnerability (CVE-2008-1447)

            Dan Kaminsky

            Dan Kaminsky is credited with discovering some unspecified vulnerabilities in DNS that allow for cache poisoning on a massive the-intarweb-tubes-will-burst-and-flood-your-basement scale. There has been massive media attention over this vulnerability and a large amount of backlash in the security community over the lack of details. When the full details of the vulnerability are revealed at BlackHat, the masses will decide whether the hype and secrecy were worth it. And, more importantly, the Pwnie Judges will vote on whether Dan gets the Pwnie for Most Overhyped Bug.

Lamest Vendor Reponse

            Linus Torvalds

            Linux kernel non-disclosure policy

            Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security isses by defending silent patching of security vulnerabilities in the Linux kernel:

So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special.

            Adding insult to injury:

            Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior.

            It makes "heroes" out of security people, as if the people who don't just fix normal bugs aren't as important.