Feeds

Flame worm's makers fail to collect Epic 0wnage award

State cyberespionage tool-makers shun Pwnie Award glory

Beginner's guide to SSL certificates

Black Hat Hackers and other delegates to Black Hat celebrated the best and worst of information security with the latest edition of the Pwnie Awards, the security geek equivalent of the Oscars.

The award in the top "Epic 0wnage" category went to whoever's behind the Flame cyber-espionage spyware. It was their use of an MD5 collision attack to create counterfeit Microsoft certificates – and thereby push bogus updates via the Windows Update – that earned the respect of hackers. Recent reports by the Washington Post suggest that a team from the CIA, the National Security Agency and the Israeli Defence Force developed the attack.

The NSA's director Keith Alexander gave a key-note at Defcon – the other hacking convention held in Vegas in July - but disappointingly decided not to pick up the award.

"Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book," the citation for the award explains. "And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage."

The Pwnie for "Best Client-Side Bug" was a joint award to Pinkie Pie and Sergey Glazunov for separately hacking their way out of the Chrome sandbox. Both had already raked in $60,000 as winners of Google's Pwnium hacker contest for their ingenious hacks.

The discovery that some MySQL server configurations will accept any login password after enough tries earned Sergei Golubchik the Pwnie for the "Best Server-Side Bug". And the most innovative research Pwnie was bestowed on Travis Goodspeed for a paper on Wi-Fi hacking, entitled Packets in Packets: Orson Welles In-Band Signalling Attacks for Modern Radios.

Most of the awards celebrate excellence in the field of information security but one award celebrates epic incompetence. The Golden Raspberry Pwnie for Most Epic FAIL went to F5 for putting using the same extractable SSH private key in the firmware of all its appliances.

A more complete list of winners for the Pwnies can be found on the award's official page here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.