14 DAY TRIAL // The Black Hat USA 2007 conference, in Las Vegas, saw the introduction of the 'Pwnie' awards. These distinctions were handed out to security researchers for accomplishments in the field of computer security. While many of the Pwnies were awarded for actual achievements, a few were also awarded for spectacular screw-ups.
The OpenBSD team has won an award for the most spectacular "mishandling" of a critical security vulnerability. The OpenBSD team won this distinction for refusing to acknowledge the bug as a security vulnerability and issue a "reliability fix" for it. Another mentionable award, for the most overhyped bug, was won by David Maynor. At last year's conference, Maynor, demonstrated the controversial MacBook Wi-Fi vulnerabilities he had discovered. "In the end, the only public information about Maynor's Wi-Fi vulnerabilities are hype, denial, a media frenzy, and a patch that may or may not have been based on Maynor's findings," said the judges.
These awards and the recent media fiasco of the iPhone production shortage report should give the media and journalists food for thought and encourage them to leave sensationalism aside. Hot stories such as these might be good for ad revenue, but in the end they only erode reader trust and desensitize the issues. This is a serious problem when it comes to the Mac platform where any security related information is instantly turned into a zero-day threat. After so many false reports Mac users have started to simply ignore any and all security related stories.
Other Pwnie winners:
Best server-side bug: The Solaris in.telnetd remote root exploit released by Kingcope in February. Kingcope was given a golden Pwnie for finding this vulnerability that did not require any special hacking tools or shellcode.
Best client-side bug: Researchers skape and skywing took this award for finding a nasty Windows vulnerability (Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1) that allowed remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." The flaw was detailed in Uninformed Vol. 4.
Pwnie for mass ownage: This was won by the unknown hacker who found the WMF SetAbortProc remote code execution hole that was widely exploited in the wild via Internet Explorer. "This vulnerability deserves an award for its obviousness, ease of exploitation and high impact," the judges said.
Most innovative research: Skape's presentation, featured in the Uninformed Vol.2, grabbed this award for being the most interesting piece of work done in the last year.