14 DAY TRIAL // The Black Hat USA 2016 security conference has concluded in Las Vegas, and as it is the annual custom, the Pwnie Awards have been given out to the best security researchers in the business.
Nominated by the entire infosec community and voted by a panel of experts, this year's winners are as follow:
Pwnie for Best Server-Side Bug
Award given to the most interesting and technically sophisticated server-side exploit, theoretical or detected in the wild: Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow (CVE-2016-1287).
Pwnie for Best Client-Side Bug
The same as above, but for vulnerabilities exploited in local clients: glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547).
Pwnie for Best Privilege Escalation Bug
Awarded to security researchers who manage to find ingenious ways to elevate simple exploits to system-level execution: Widevine QSEE TrustZone Privilege Escalation (CVE-2015-6639).
Pwnie for Best Cryptographic Attack
Given out for the first time in 2016, this awards researchers who identify novel ways to break encryption systems: SSLv2 Crypto attack (DROWN Attack) (CVE-2016-0800).
Pwnie for Best Backdoor
Another new award given out for the first time, but one that deserves its place among the rest of the categories: The Juniper Backdoor (CVE-2015-7755 & CVE-2015-7756).
Pwnie for Best Junk or Stunt Hack
The best description is the one given on the Pwnie Awards website: "awarded to the researchers, their PR team, and participating journalists for the best, most high-profile, and fear-inducing public spectacle that resulted in the most panic-stricken phone calls from our less-technical friends and family members." And the winner is: Remotely Killing a Jeep on the Highway.
Pwnie for Best Branding
The company that has put the most effort into explaining and marketing security vulnerabilities it discovered: Mousejack wireless keystroke injection bug.
Pwnie for Epic Achievement
Yet another new award, this one was handed out to a researcher who achieved a never-before-seen level of notoriety thanks to his research: Tavis Ormandy (for hacking almost every antivirus program in the last year).
Pwnie for Most Innovative Research
Award handed out to the person who has published the most interesting research, even if not applicable in practice: Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector.
Pwnie for Lamest Vendor Response
This award was given out to a company that has failed to understand the implications of a security report it received: Western Digital.
Pwnie for Most Over-Hyped Bug
The security flaw that generated the most media hype, but wasn't really that dangerous: the one and only Badlock (CVE-2016-0128)!
Pwnie for Best Song
Epic moments when infosec people put down their laptops and start singing: Katie Moussouris - Cyber-lair.
Pwnie for Epic 0wnage
Award handed out to the researcher/security flaw that resulted in huge damage to the company/product it was found in: The Juniper Backdoor.
Lifetime Achievement Award
Award given to Mudge, Peiter C. Zatko, a long-time vulnerability research educator, influencer, former hacker who ended up leading DARPA's cyber security program.
The Pwnie for Most Epic FAIL was not given out because it appears that security in the last year was better than the previous ones.