Black Hat The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas.
That's not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.
The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically. This year it was nation states that got a significant proportion of the prizes. The gongs are divided into categories, and nominations in each section are voted on by the hacker community. The ponies are then dished out every year at the Black Hat USA security conference in Sin City.
The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers. The tools attack three stunning vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used by malware including WannaCrypt to wreck systems across the globe, forcing Microsoft to issue patches for out-of-date operating systems to fight the outbreak.
While Uncle Sam's snoops didn’t pick up their award, neither did other governments. The epic 0wnage award was split between North Korea and Russia for launching the WannaCry ransomware contagion and masterminding the Shadow Brokers, respectively.
Meanwhile, Australian prime minister Malcom Turnbull earned an award for the most epic fail for insisting the laws of Australia trump the laws of mathematics. The Aussie leader was told it's not possible to backdoor encryption for counterterrorism snoops without ruining the crypto for everyone else, and was having none of it.
“The laws of Australia prevail in Australia, I can assure you of that,” he said. “The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia.”
That landed him the pony, although Turnbull faced strong competition. Kaspersky’s flawed iOS browser was a close runner up, as was online publication The Intercept after its alleged source Reality Winner was collared by the Feds.
Speaking of winners, here's a summary of the other awards handed out:
- Best client-side bug: Ryan Hanson, Haifei Li, Bing Sun and unnamed bods for uncovering CVE-2017-0199 aka a Microsoft OLE flaw.
- Best privilege escalation bug: Victor van der Veen, Yanick Fratantonio, Martina Lindorfer, Daniel Gruss, Clementine Maurice, Giovanni Vigna, Herbert Bos, Kaveh Razavi, and Cristiano Giuffrida for their Drammer rowhammer RAM attacks.
- Best cryptographic attack: The SHAttered team – Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov.
- Best backdoor: MeDoc was shamed with this pony after its software update systems were hacked to spread NotPetya.
- Best branding: Ghostbutt aka CVE-2017-8291.
- Most innovative research: Ben Gras, Kaveh Razavi, Erik Bosman, Herbert Bos and Cristiano Giuffrida scoped this one for their ASLR bypass work.
- Lifetime achievement award: FX of Phenoelit.
And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237 that we covered here.
"Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
All of this year's nominations are here, and the results will be published on the awards website a little later. ®