Pwnie Awards 2017: achievements, mistakes and stupidities in the field of information security
At the end of July, at the Black Hat conference in Las Vegas, the Pwnie Awards were presented. They give this award either to those who have done an incredible nonsense in the field of information security, were distinguished by incompetence, or by those who hacked something beautifully, loudly and cheerfully, or discovered something very interesting. Taking into account the specifics of the award, it is quite expected that not all the laureates rushed to the stage after the brightly painted pony statuette. Government officials, intelligence officials, and software makers are usually not inclined to admit mistakes.
The award is divided into several nominations. The winners are chosen, by voting, by representatives of the hacker community.
The award for the best server error went to the Equation Group , a group that is associated with the NSA. The Equation Windows SMB exploits this year hit the network after they were stolen by hackers from Shadow Brokers. These tools targeted three serious vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used in malware, including WannaCrypt , to hack systems around the world. This led Microsoft to release patches for outdated operating systems covering vulnerabilities.
')
Representatives of the US special services did not appear at the awards ceremony, the same can be said about delegates from other states. Thus, the award for the most massive hacking is divided between North Korea and Russia, respectively, for the WannaCry epidemic and for the creation of the Shadow Brokers group.
Meanwhile, Australian Prime Minister Malcolm Turnbull won the highest award in the nomination "the biggest failure." He stated that the laws of Australia have an advantage over the laws of mathematics. The Australian leader was told that it was impossible to bypass encryption systems for the purpose of combating terrorists and not deprive all others of the encryption. To this he replied that he could assure the interlocutor that in Australia the laws of Australia prevail. “The laws of mathematics are commendable, but the only law that is valid in Australia is the law of Australia,” continued Malcolm Turnbull. For this statement, he received a statuette of a pony, although his rivals were very strong. Among them is a protected (but, in fact, containing a vulnerability ) browser from Kaspersky Lab for iOS. In addition, The Intercept news resource also got here, after the careless publication of which Reality Winner was detained, providing The Intercept with secret information.
Now, in a nutshell, we will tell about other winners.
Pony for the best mistake in client software was obtained by Ryan Hanson, Haifa Lee, and other researchers, for revealing the vulnerability CVE-2017-0199 , also called the Microsoft OLE vulnerability .
Victor van der Wien, Janick Fratantonio, and others received the Drammer exploit for a rowhammer-attack on the RAM for the best vulnerability leading to an increase in privileges.
The prize for the best cryptographic attack went to the SHAttered group - Mark Stevens and others.
In the nomination "best backdoor" the company won MeDoc. Her software update system was hacked and distributed the NotPetya ransomware virus .
The prize for the best branding goes to Ghostbutt (CVE-2017-8291).
The award for the most innovative research went to the developers of the new way to bypass the protection of ASLR .
Lifetime Achievement Award was received by Phenoelit FX Hacker .
And, finally, the award for the most awkward reaction of the developer went to Lennart Pottering, the lead programmer of systemd. It's all about his ambiguous attitude towards errors in his beloved initialization system. Namely, we are talking about the following errors: 5998 , 6225 , 6214 , 5144 , and 6237 , in more detail about which you can read here .
Dereferencing null pointers, writing out of the buffer, the lack of support for full domain names, issuing root privileges to users whose name begins with a number - all this is not too serious. When correcting such minor flaws, you do not need to specify the CVE numbers assigned to them, it makes no sense to include information in the change log or even in the commit description ... As a matter of fact, for such an attitude to errors and give awards at the Pwnie Awards ceremony.
Dear readers! Who and for what merit would you give a brightly colored pony?
The award is divided into several nominations. The winners are chosen, by voting, by representatives of the hacker community.
The award for the best server error went to the Equation Group , a group that is associated with the NSA. The Equation Windows SMB exploits this year hit the network after they were stolen by hackers from Shadow Brokers. These tools targeted three serious vulnerabilities (CVE-2017-0143, 0144, 0145), and were later used in malware, including WannaCrypt , to hack systems around the world. This led Microsoft to release patches for outdated operating systems covering vulnerabilities.
')
Representatives of the US special services did not appear at the awards ceremony, the same can be said about delegates from other states. Thus, the award for the most massive hacking is divided between North Korea and Russia, respectively, for the WannaCry epidemic and for the creation of the Shadow Brokers group.
Meanwhile, Australian Prime Minister Malcolm Turnbull won the highest award in the nomination "the biggest failure." He stated that the laws of Australia have an advantage over the laws of mathematics. The Australian leader was told that it was impossible to bypass encryption systems for the purpose of combating terrorists and not deprive all others of the encryption. To this he replied that he could assure the interlocutor that in Australia the laws of Australia prevail. “The laws of mathematics are commendable, but the only law that is valid in Australia is the law of Australia,” continued Malcolm Turnbull. For this statement, he received a statuette of a pony, although his rivals were very strong. Among them is a protected (but, in fact, containing a vulnerability ) browser from Kaspersky Lab for iOS. In addition, The Intercept news resource also got here, after the careless publication of which Reality Winner was detained, providing The Intercept with secret information.
Now, in a nutshell, we will tell about other winners.
Pony for the best mistake in client software was obtained by Ryan Hanson, Haifa Lee, and other researchers, for revealing the vulnerability CVE-2017-0199 , also called the Microsoft OLE vulnerability .
Victor van der Wien, Janick Fratantonio, and others received the Drammer exploit for a rowhammer-attack on the RAM for the best vulnerability leading to an increase in privileges.
The prize for the best cryptographic attack went to the SHAttered group - Mark Stevens and others.
In the nomination "best backdoor" the company won MeDoc. Her software update system was hacked and distributed the NotPetya ransomware virus .
The prize for the best branding goes to Ghostbutt (CVE-2017-8291).
The award for the most innovative research went to the developers of the new way to bypass the protection of ASLR .
Lifetime Achievement Award was received by Phenoelit FX Hacker .
And, finally, the award for the most awkward reaction of the developer went to Lennart Pottering, the lead programmer of systemd. It's all about his ambiguous attitude towards errors in his beloved initialization system. Namely, we are talking about the following errors: 5998 , 6225 , 6214 , 5144 , and 6237 , in more detail about which you can read here .
Dereferencing null pointers, writing out of the buffer, the lack of support for full domain names, issuing root privileges to users whose name begins with a number - all this is not too serious. When correcting such minor flaws, you do not need to specify the CVE numbers assigned to them, it makes no sense to include information in the change log or even in the commit description ... As a matter of fact, for such an attitude to errors and give awards at the Pwnie Awards ceremony.
Dear readers! Who and for what merit would you give a brightly colored pony?
Source: https://habr.com/ru/post/334894/
All Articles