Feeds

Pwnie Awards celebrate best and worst of security

Showcasing the maddest skillz

SANS - Survey on application security programs

Organisers of the security world's Oscars, the Pwnie Awards, have announced the nominees for the second annual awards.

The Pwnies celebrate both the achievements and failures in security research and the wider IT security scene, so they are best thought of as a mixture of the Razzies, which recognise the worst in Hollywood, and the Oscars. The list of 37 nominees for the nine Pwnie Award categories will be narrowed down to winners by the judges, who will meet at an undisclosed location in order to decide the winners, before an awards ceremony at the Black Hat conference in Las Vegas on 6 August.

The list of nominees was narrowed from 134 submissions in categories including best client-side bug, most innovative research, lamest vendor response and most epic FAIL. Nominees in the bug category include URI protocol handler flaws, a class of flaw that put competing browser and application vendors at loggerheads in blaming others for vulnerabilities, the infamous Safari carpet-bombing bug and Apple's QuickTime media player application. QuickTime gets recognition as a result of numerous flaws with the application over the last 12 months.

In the Mass Ownage category the crippled OpenSSL random number generator in Debian, which resulted in the production of weak SSL and SSH keys, heads the nominations. SQL injection attacks, which became a preferred tactic for hackers to plant malware on vulnerable websites, also get a nod.

Security research and notable bugs are recognised in other award categories. Recent research in cold boot attacks on encryption keys will fight it out in the most innovative security research division with Rolf Rolles's research on virtualisation and security.

Lame Flame

Plenty of attention is likely to focus on the lamest vendor response award. McAfee's unimpressive answer to flaws in its "Hacker Safe" certification programme earns a dishonorable mention alongside NXP's decision to sue researchers who broke the security of its Mifare Classic smart cards. NXP's litigious response makes it the odds-on favourite to pick up the award, sparing Linus Torvalds, whose security-themed rant earlier this month earned him a nod.

Well-known security researcher Dan Kaminsky makes an appearance in several categories including the overhyped vulnerability slot, where the much publicised but still unspecified DNS cache poisoning vulnerability gets a mention. There might as well be no other nominees in the category since Kaminsky is a shoo-in for the award, in our book at least.

Momentous screw-ups (AKA epic fails) make up a more competitive category. Debian, for supplying a vulnerable OpenSSL library without realising it for two years, competes in this category against Todd Davis, the hapless Lifelock chief exec, whose anti-fraud service failed to protect him after he posted his social security number on the web. Intriguingly Windows Vista also gets a mention in this category for "proving security doesn't sell" and may be the dark horse for recognition here.

Former professional football players traditionally retire to manage pubs. Most hackers who have the "personality of a supermodel who does discrete mathematics for fun" go off to run coffee shops or some such so it's only fair the Pwnie Awards also include a Lifetime Achievement Award category. Dan Geer, who was fired by @stake after writing a paper about the risks on the lack of diversity in software established by Microsoft's dominant position, earns a nod in this category.

The full list of runners and riders for the Pwnie Awards can be found here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.