Flame Spyware Wins Top 'Pwnie' Hacker Award
CREDIT: Pwnie Awards LLC
LAS VEGAS — Eight more entries were made into the cybersecurity hall of fame, and of shame, at the sixth annual Pwnie Awards ceremony at the BlackHat security conference here Wednesday evening (July 25).
Inaugurated in 2007 by a group of "grey hat" hackers, the Pwnies — the name refers to hacker "pwning," or "owning," a targeted machine — are meant to be a tongue-in-cheek way to highlight the achievements and failures of the digital security world over the past year.
Top spot, for Most Epic Ownage, went to the unknown authors of the Flame malware for their spectacular, groundbreaking cryptographical work in creating a mathematical "collision" between two enormous numbers.
The collision enabled Flame to masquerade as a legitimate Microsoft Windows Update file and infect hundreds of computers in the Middle East with sophisticated spyware.
"Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book," said the Pwnies judges on their website. "And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage."
"Are the authors of Flame here?" joked the Pwnies judges upon announcing the award. "Does anyone want to accept this?"
One winner who wasn't afraid to show up was a representative from Seattle network-appliances company F5 Networks, named after the Windows keyboard command that refreshes a webpage.
F5 garnered the Epic Fail award for stashing crucial authentication information in its own software updates, giving all its clients access to the servers of all its other clients.
"Including a SSH authentication public key for root on all F5 devices is nice," said the Pwnies judges. "Putting the private key for it in the firmware where it can be found and then used against any other F5 device is even better. For FAIL, press F5."
A representative from the company sheepishly strode up the podium to accept the Pwnie trophy — a customized "My Little Pony" doll.
The Epic Fail win was not mentioned on F5's website.
Other nominees for the Epic Fail award were LinkedIn, for not "salting" its encrypted passwords, not having a chief security officer and losing six million customer passwords; a criminal-controlled botnet that used such weak security that a security firm was able to take over the network and publish the personal details of its controller; and the entire anti-virus industry, for failing to catch Flame, Stuxnet, Duqu and other sophisticated, presumably state-sponsored, malware.
The award for Best Client-Side Bug was shared by hackers Sergey Glazunov and the teenaged "Pinkie Pie," who together found 20 vulnerabilities in Google's Chrome browser at the CanSecWest conference in Vancouver, B.C., in March.
One runner-up for that award was smartphone hacker Charlie Miller, who last fall managed to get a proof-of-concept malicious app into the iTunes App Store and was suspended from Apple's developer program as a result.
Perhaps most impressive was the award winner for Most Innovative Research. Hacker Travis Goodspeed devised a way to embed Web traffic for mobile devices into standard Web traffic configurations.
"Travis heard you like packets, so he put packets in packets so that he could inject packets into your internal network from all the way across the Internet," said the Pwnies judges. "Doesn't sound very neighborly to us, but it's still way cool."