Ransacked US OPM wins Pwnie Award for 'Most EPIC Fail'
Kicking a government when it's down
Black Hat 2015 For the past nine years Black Hat has staged its Pwnie Awards, devoted to recognizing the best and worst aspects of computer security, and this year's winner of the least welcome award is the US government's Office of Personnel Management.
The OPM won in the "Most EPIC Fail" category after hackers, possibly from the Chinese government, ransacked the agency's servers to steal confidential information on up to 21.5 million past and present government employees.
"The OPM let you and everyone else down. So much so, that the USA government might actually be pulling covert agents out of foreign countries. USA #1," noted the panel of judges.
The hack caused the resignation of the OPM's head and a frantic effort by other government departments to get themselves protected. No one from the OPM was present to pick up their pony-shaped award.
The OPM was up against some tough competition. Also nominated was the adulterer-friendly dating site AshleyMadison.com, who lost all their customers' details to hackers, and Whitehat Security, which released a supposedly secure browser that was full of security holes.
It was nearly a double header for the government department, as it was also a nominee in the Epic 0wnage category. But the winner there was Hacking Team, the commercial spyware company who had 400GB of internal company data stolen and posted online.
Also nominated was Russian security firm Kaspersky Lab, which got an infection of its own from the Duqu malware platform. Company founder Eugene Kaspersky claimed his firm had been attacked for bragging rights by hackers, although other experts disagreed.
No one from Hacking Team came up to collect the award, so it was jokingly accepted by Morgan Marquis-Boire, a researcher for internet monitoring organization Citizen Lab. Marquis-Boire is a thorn in the side of the commercial spyware industry, and the Hacking Team's emails showed the company had him under surveillance at times.
The winner of the "Lamest Vendor Response" category was security and networking provider Blue Coat. The company successfully pressured a security researcher to drop his presentation to the SyScan Conference in Singapore, provoking an angry response on Twitter, including a slam from Facebook's head of security Alex Stamos.
Any other CISOs want to make the #BlueCoatPledge with me? : I will never spend budget on a security vendor who threatens researchers.— Alex Stamos (@alexstamos) March 26, 2015
Blue Coat kind of apologized after the event, but it seems to have done little to sooth the security industry's views of it. An employee was present to pick up the award for the firm, which was a classy move.
The winner of the "Most Overhyped Bug" category went to Shellshock, a critical flaw in Unix and Linux systems that was discovered in September. The bug, discovered by Stephane Chazelas, was very serious but provoked a panicked response in the mainstream media.
But the awards aren't all about slamming the worst aspects of the security industry, fun though that is. There was plenty of time for praise as well.
The award for the "Best Server-Side Bug" went to SAP LZC and LZH compression algorithm, discovered by researcher Martin Gallo. The bug left most of SAP's software open to remote code execution and denial-of-service exploits.
A late entrant won the "Best Client Side Bug," which went to researcher Mateusz "j00ru" Jurczyk, who spotted the BLEND bug in Adobe and Microsoft code in June. The bug allowed complete access to client side system, and prompted emergency patching from the two vendors.
The winner of the coveted "Lifetime Achievement" award went to Halvar Flake, a long-time Black Hat attendee and reverse engineering supremo. Flake set up Zynamics to explore reverse engineering issues, and it was so impressive that Google bought the firm four years ago. ®