Main » 2011 » Март » 16 » Put forward nominees for the award pwnie 2008
13:43
Put forward nominees for the award pwnie 2008
Pwnie - analogue of the Oscars for the world of information security. Great achievements and failures, and, of course, a lot of fun. The second annual award Ponni will be held in August 2008 in Las Vegas at the meeting BlackHat USA.

In 2008, 9 nominations:

- For the best server bug (Pwnie for Best Server-Side Bug)
- For the best client bug (Pwnie for Best Client-Side Bug)
- For the mass use (Pwnie for Mass 0wnage)
- For the most innovative development (Pwnie for Most Innovative Research)
- For the most incompetent vendorskoe statement (Pwnie for Lamest Vendor Response)
- For the best-known bug (Pwnie for Most Overhyped Bug)
- For the best soundtrack (Pwnie for Best Song)
- For an epic failure (Pwnie for Most Epic FAIL)
- Lifetime Achievement (Pwnie for Lifetime Achievement)


1. Nomination for Best Server bug
Awarded to the person who discovered the most technically complex and interesting a server bug. (Bug can be in any remotely accessible program without user intervention)
- Windows IGMP kernel vulnerability (CVE-2007-0069): Alex Wheeler and Ryan Smith
- NetWare kernel DCERPC stack buffer overflow : Nicolas Pouvesle
- ClamAV Remote Command Execution (CVE-two thousand and seven-4560) : Nikolaos Rangos
- SQL Server 2005 (CVE-2007-4560): Brett Moore
The full description in English: http://pwnie-awards.org/2008/awards.html ...

2. Nominated Best Client bug
Similarly, the first nomination, but on the client side. Do not forget that not only web browsers, but also, for example, bugs in media players can take part.
- Multiple URL protocol handling flaws : Nate McFeters, Rob Carter, and Billy Rios
- Slirpie : Dan Kaminsky, RSnake, Dan Boneh
- Safari carpet bomb (CVE- 2008-2540): Laurent Gaffie, Nitesh Dhanjani and Aviv Raff
- Adobe Flash DefineSceneAndFrameLabelData vulnerability (CVE-2,007-0071): Mark Dowd and wushi
- QuickTime (CVE-2008 -*): too many vulnerabilities
Full description in English: http://pwnie-awards.org/2008/awards.html ...

3. Nomination massive use
Awarded to the person who discovered the most used later bug. The award is also known as Ponni to hack the internet.
- Windows IGMP kernel vulnerability (CVE-2007-0069) : Alex Wheeler and Ryan Smith
- An unbelievable number of WordPress vulnerabilities (CVE-2008-*) : many digging in engine, and many lucky
- Debian's random number generator with 15 bits of entropy (CVE-2008-0166): Luciano Bello
- XSS of the entire web for users of Earthlink, Comcast and Verizon : Dan Kaminsky
- SQL injection in more than 500,000 web sites : Rain Forest
Full description in English: http://pwnie-awards.org/2008/awards.html ...

4. Nominated Most Innovative Development
Awarded to the person who published the most interesting and innovative developments in the form of articles, presentations, software or even publish a mailing list.
- Application-Specific Attacks : Leveraging the ActionScript VM: Mark Dowd
- Splitting Gemini : Adam Cecchetti
- Lest We Remember : Cold Boot Attacks on Encryption Keys: J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
- Defeating a VM packer with a decompiler written in OCaml : Rolf Rolles
- Heaps about Heaps : Brett Moore
Full description in English: http://pwnie-awards.org/2008/awards.html ...

5. Nominated most incompetent vendorskoe statement
- McAfee's "Hacker Safe" certification program
Over 60 sites have been certified as hakerozaschischennye McAfee's ScanAlert service have been vulnerable to XSS attacks, including the site itself ScanAlert. Director of the program Joseph Pierini still said that XSS vulnerabilities can not be used for hacking the server:
"XSS can not be used for hacking the server. You can use XSS to something else. You can implement XSS, which is affect the end user or customer. But The figures in the client is safely stored on the server and protected. Thus, the data can not be compromised XSS ".
And another quote: "we act as superhakery" ("we go in like a super hacker").

-Linus Torvalds
Linus spoke in support of "quiet" kernel upgrade. Fixes for vulnerabilities in the core of the system have not received wide publicity:
"I believe that the bugs related to security, such as normal as others. I do not hide them, but I just do not see any reason why they should be read out as something special.
... Too much attention is paid to security issues. bezopasniki become heroes, but perhaps people who are simply engaged in normal bug fixes are not as important? "

- Wonderware
CORE security reported a DOS vulnerability in Wonderware's SCADA software. How did they react? :)

2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgment of the notification of a security vulnerability.
2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: Core sends a link to http://www.python.org


- NXP (formerly Philips Semiconductors)
The court case against the researcher, who hacked Mifare Classic smart cards .
NXP is suing Radboud University Nijmegen, to prohibit the publication of the article, which details the scheme of attack against the RFID chips used in many kinds of public transport throughout the world. Was first zayavileno the vulnerability of NXP in late 2007, but instead of answering received a subpoena.
Official comment Transport Service in London about the successful cloning of Oyster cards:
"This is not breaking the whole Oyster system. This is just an isolated incident."

6. Nominated Best known bug
Awarded to the person who discovered the bug, which has received wide publicity on the Internet and media.
- Unspecified DNS cache poisoning vulnerability (CVE-2,008-1447) : Dan Kaminsky
- BT Home Hub authentication bypass (CVE-2008-1334) : Adrian 'pagvac' Pastor
- Adobe Flash Player non-0day remote code execution (BID 29386) : Symantec
Full text in English: http://pwnie-awards.org/2008/awards.html ...

7. Nomination for Best Soundtrack
What kind of award nominations without a best sauntrek. Will anyone outshine Derekovskuyu The Night Before Christmas. "
- Packin 'The K! : K & Key, Kaspersky Labs

On hackers we put the hurtski,
we use Kaspersky, we pack the K!

Something untranslatable:) But Laba Kaspersky should win, as rivals do not have)

8. Nomination epic failure
- Todd Davis, Lifelock CEO for posting his SSN on the web
- Debian for shipping a backdoored OpenSSL library for two years (CVE-in 2008-0166)
- Windows Vista for proving that security does not sell
Full text in English: http://pwnie-awards.org/2008/awards.html ...

9. Lifetime Achievement Nomination
- Oded Horowitz
Like Sher, he can leave only Oded, because everyone knows this asshole.
- Tim Newsham (http://www.thenewsh.com/ ~ newsham /)
- Dan Geer
You may have heard about him on projects such as:
X Windows
Kerberos
@ stake
- John McDonald (Solaris / SPARC non-exec stack exploitation technique and sooavtorstvo "The Art of Software Security Assessment". And he makes the best coffee latte in the UK).
Views: 781 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: