Pwnie Awards 2017: achievements, mistakes and nonsense in the field of information security

Original author: Iain Thomson
  • Transfer
At the end of July, at the Black Hat conference in Las Vegas, the Pwnie Awards were awarded . They give this award either to those who did incredible stupidity in the field of information security, were distinguished by incompetence, or to those who hacked something beautifully, loudly and cheerfully, or found something very interesting. Given the specifics of the award, it is expected that not all laureates hastened to climb the stage behind the brightly painted pony figurine. Government officials, intelligence agencies, and software manufacturers are generally not inclined to admit their mistakes. The award is divided into several categories. Winners are selected by voting by representatives of the hacker community. Equation Group Award for Best Server Error

image



the group that is associated with the NSA. Equation exploits for Windows SMB hit the net this year after they were stolen by hackers from Shadow Brokers. These tools targeted three serious vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used in malware, including WannaCrypt , to crack systems around the world. This led Microsoft to release patches for legacy operating systems that cover vulnerabilities.

Representatives of US special services did not appear at the awards ceremony, the same can be said of delegates from other states. So, the reward for the most massive hacking is divided between North Korea and Russia, respectively, for the WannaCry epidemic and for the creation of the Shadow Brokers group.

Meanwhile, Australian Prime Minister Malcolm Turnbull received the highest award in the category of "biggest failure." He stated that the laws of Australia take precedence over the laws of mathematics. The Australian leader was told that it was impossible to circumvent encryption systems to combat terrorists and not to deprive everyone else of encryption. To this, he replied that he could assure the interlocutor that Australian laws prevailed in Australia. “The laws of mathematics are commendable, but the only law that has effect in Australia is Australia,” continued Malcolm Turnbull. For this statement, he received a pony figurine, although his rivals were very strong. Among them is protected (but, in fact, containing a vulnerability) a browser from Kaspersky Lab for iOS. In addition, The Intercept news resource also got here, after a careless publication of which Reality Winner was detained , which provided The Intercept with secret information.

Now, in a nutshell, we will tell about other winners.

Pony for the best mistake in the client software was received by Ryan Hanson, Haifa Lee, and other researchers, for revealing the vulnerability CVE-2017-0199 , also called the Microsoft OLE vulnerability .

Victor van der Vin, Janik Fratantonio, and others received the award for the best vulnerability leading to privilege escalation for creating a Drammer exploit for a rowhammer attack on RAM.

The prize for the best cryptographic attack went to SHAttered - Mark Stevens and others.

In the nomination "best backdoor" MeDoc won. Her software update system was hacked and spread the NotPetya ransomware virus .

The prize for the best branding goes to Ghostbutt (CVE-2017-8291).

The most innovative research award went to the developers of a new way to bypass ASLR protection .

Life Achievement Award went to FX Phenoelit Hacker .

And finally, the prize for the most awkward reaction of the developer went to Lennart Pottering, lead systemd programmer. The thing is its ambiguous attitude to errors in the initialization system beloved by all. Namely, we are talking about the following errors: 5998 , 6225 , 6214 , 5144 , and 6237 , more about which can be found here .

Dereferencing null pointers, writing outside the buffer, lack of support for full domain names, granting root privileges to users whose name begins with a digit - all this is not too serious. When correcting such minor flaws, it is not necessary to indicate the CVE numbers assigned to them, it makes no sense to include this information in the change log or even in the descriptions of commits ... Actually, for such an attitude to errors, awards are given at the Pwnie Awards ceremony.

Dear readers! To whom and for what merits would you give a brightly colored pony?

Also popular now: