Pwnie award
Encyclopedia
The Pwnie Awards recognize both extreme excellence and incompetence in the field of information security
. Winners are selected by a committee of security industry luminaries from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference
.
', which is hacker-slang meaning "to compromise" or to "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards" is meant to sound like The Tony Awards, an awards ceremony for Broadway Theater in New York City.
and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
. Winners are selected by a committee of security industry luminaries from nominations collected from the information security community. The awards are presented yearly at the Black Hat Security Conference
Black Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
.
Origins
The name Pwnie Award is based on the word 'pwnPwn
Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated .In hacker...
', which is hacker-slang meaning "to compromise" or to "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards" is meant to sound like The Tony Awards, an awards ceremony for Broadway Theater in New York City.
History
The Pwnie Awards were founded in 2007 by Alexander SotirovAlexander Sotirov
Alexander Sotirov is a computer security researcher. He has been a researcher at Determina and VMware.He is well known for his discovery of the ANI browser vulnerability as well as the so-called Heap Feng Shui technique for exploiting heap buffer overflows in browsers. In 2008, he presented...
and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.
Categories
As of 2010, Pwnies are awarded in the following categories:- Pwnie for Best Server-Side Bug
- Pwnie for Best Client-Side Bug
- Pwnie for Best Privilege Escalation Bug
- Pwnie for Most Innovative Research
- Pwnie for Lamest Vendor Response
- Pwnie for Best Song
- Pwnie for Most Epic FAIL
2010
- Best Server-Side Bug: Apache Struts2 framework remote code execution (CVE-2010-1870) Meder Kydyraliev
- Best Client-Side Bug: Java Trusted Method Chaining (CVE-2010-0840) Sami Koivu
- Best Privilege Escalation Bug: Windows NT #GP Trap Handler (CVE-2010-0232) Tavis Ormandy
- Most Innovative Research: Flash Pointer Inference and JIT SprayingJIT sprayingJIT spraying is a class of computer security exploit that circumvents the protection of address space randomization and data execution prevention by exploiting the behavior of just-in-time compilation. It has been reported to have been used to penetrate security features in the PDF format and...
Dionysus Blazakis - Lamest Vendor Response: LANrevLANrevAbsolute Manage is a systems lifecycle management software for system administrators which automates IT administration tasks. The product is composed of a server and client software that runs on Windows and Mac OS X....
remote code execution Absolute Software - Best Song: "Pwned - 1337 edition" Dr. Raid and Heavy Pennies
- Most Epic Fail: Microsoft Internet Explorer 8Internet Explorer 8Windows Internet Explorer 8 is a web browser developed by Microsoft in the Internet Explorer browser series. The browser was released on March 19, 2009 for Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7. Both 32-bit and 64-bit builds are available...
XSSCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
filter
2009
- Best Server-Side Bug: Linux SCTP FWD Chunk Memory Corruption (CVE-2009-0065) David 'DK2' Kim
- Best Privilege Escalation Bug: Linux udev Netlink Message Privilege Escalation (CVE-2009-1185) Sebastian Krahmer
- Best Client-Side Bug: msvidctl.dll MPEG2TuneRequest Stack buffer overflow (CVE-2008-0015) Ryan Smith and Alex Wheeler
- Mass 0wnage: Red Hat Networks Backdoored OpenSSH Packages (CVE-2008-3844) Anonymous
- Best Research: From 0 to 0day on Symbian Credit: Bernhard Mueller
- Lamest Vendor Response: Linux "Continually assuming that all kernel memory corruption bugs are only Denial-of-Service" Linux Project
- Most Overhyped Bug: MS08-067 Server Service NetpwPathCanonicalize Stack Overflow (CVE-2008-4250) Anonymous
- Best Song: Nice Report Doctor Raid
- Most Epic Fail: Twitter Gets Hacked and the "Cloud Crisis" Twitter
- Lifetime Achievement Award: Solar Designer
2008
- Best Server-Side Bug: Windows IGMP Kernel Vulnerability (CVE-2008-0069) Alex Wheeler and Ryan Smith
- Best Client-Side Bug: Multiple URL protocol handling flaws Nate McFeters, Rob Carter, and Billy Rios
- Mass 0wnage: An unbelievable number of WordPress vulnerabilities
- Most Innovative Research: Lest We Remember: Cold Boot Attacks on Encryption Keys (honorable mention was awarded to Rolf Rolles for work on virtualization obfuscators) J. Alex Halderman, Seth Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph Calandrino, Ariel Feldman, Rick Astley, Jacob Appelbaum, Edward Felten
- Lamest Vendor Response: McAfee's "Hacker Safe" certification program
- Most Overhyped Bug: Dan KaminskyDan KaminskyDan Kaminsky is an American security researcher. He formerly worked for Cisco, Avaya, and IOActive, where he was the Director of Penetration Testing...
's DNS Cache Poisoning Vulnerability (CVE-2008-1447) - Best Song: Packin' the K! by Kaspersky Labs
- Most Epic Fail: DebianDebianDebian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
's flawed OpenSSL Implementation (CVE-2008-0166) - Lifetime Achievement Award: Tim NewshamTim NewshamTim Newsham is a computer security professional. He has been influencing and contributing to the security community for more than a decade. He has performed ground-breaking research while working at security companies including @stake, Guardent, ISS, and Network Associates . Mr...
2007
- Best Server-Side Bug: Solaris in.telnetd remote root exploit (CVE-2007-0882), Kingcope
- Best Client-Side Bug: Unhandled exception filter chaining vulnerability (CVE-2006-3648) skape & skywing
- Mass 0wnage: WMF SetAbortProc remote code execution (CVE-2005-4560) anonymous
- Most Innovative Research: Temporal Return Addresses, skape
- Lamest Vendor Response: OpenBSD IPv6 mbuf kernel buffer overflow (CVE-2007-1365)
- Most Overhyped Bug: MacBook Wi-Fi Vulnerabilities, David Maynor
- Best Song: Symantec Revolution, Symantec