Black Hat 2008: Pwnie Award Ceremony


The first night of Black Hat briefings concluded with the Pwnie Award Ceremony. The awards reward achievements in security… but mostly failures. Notably, this was the first year anyone accepted an award in person. Hack a Day took home an early victory by producing a MacBook mini-DVI to VGA adapter (pictured above). The ceremony was fairly straight forward after that. Best Server-Side Bug went to the Windows IGMP kernel vulnerability. It was a remote kernel code execution exploit in the default Windows firewall. The Best Client-Side Bug went to Multiple URL protocol handling flaws like this URI exploit. Mass 0wnage went to WordPress for many many vulnerabilities. Most Innovative Research went to the Cold Boot Attack team. Lamest Vendor Response was won by McAfee for saying XSS can’t be used to hack a server. The Most Overhyped Bug went to [Dan Kaminsky] for his DNS vulnerability. Most Epic FAIL was won by the team behind Debian for shipping the OpenSSL bug for two solid years. Lifetime Achievement Award was won by [Tim Newsham]. Finally, the Best Song was by Kaspersky Labs for Packin’ The K!, which you can find embedded below.

Comments

  1. Viper007Bond says:

    I’m confused about WordPress — how can you consider vulnerable 3rd party code (plugins) manually installed by the user a vulnerability of WordPress itself? Especially more so if the user opts not to keep the 3rd party code up to date?

    It’s as if I installed Firefox on my computer, a vulnerability was found in Firefox, and then the OS was deemed insecure as a result.

    Or am I missing something?

  2. klintor says:

    viper:

    A truly secure platform (or OS) shouldn’t allow 3rd party apps to introduce system-level vulnerabilities. Period

  3. Viper007Bond says:

    klintor:

    I’m a bit of a noob, but I don’t even see how that’s physically possible in a PHP based environment. As far as I know, you can’t easily run a PHP script in like a container or whatever.

    The only way I can think of to provide a plugin capability that met your requirements was if the plugin was like a XML file or something that just toggled flags/parameters in the software — a configuration file basically. You wouldn’t be able to expand on the software at all and would pretty much defeat the purpose of having plugins or an API.

    And by your definition then just about every piece of software on the web that has an API should get the same award. Look at Firefox, vBulletin, PunBB, etc. etc. etc. etc. They all load external files that could potentially compromise the security of the computer/server.

    If you have some brilliant idea or method to solve the problem, then please by all means, say so. Assuming it’s a reasonable solution, I’d be more than happy to contribute code towards such a solution for submission to the people that run the WordPress development.

  4. Dan Guido says:

    viper007bond: plugins are not the reason WordPress is insecure. You can check it’s history of security problems over at osvdb.org if you’re curious.

  5. What’s really sad about WordPress outside of Matt’s lack of manners, his inability to function in society and it’s lack of security is that a full security audit has been mentioned and discussed previously but nothing has yet occurred. Gallery did one and they don’t have the millions to spend like Matt does.

    You would have thought the number of times they’ve had their own sites hacked, security would have taken a step up in importance. Guess not.

    But considering that Matt’s now spamming his own site where ever he can instead of paying any attention to the splogs on wp.com and ignoring reports about them, does anything surprise you anymore?

  6. Abel Cheung says:

    Under current design having ‘secured’ wordpress plugin invocation sounds impossible. Plugins are basically just included into the core and invoked like the core does. Though some function hooks are available for sanitizing input, those functions are only optional, and no expose for the function occur at any plugin writing tutorials.

    Until recent releases, wordpress press releases have a tradition of suppressing any security announcement in order to make it look good. This is still true right now if press release is written by Matt himself. Only when it is written by others (like Ryan Boren) did it at least mention something. In this area Matt exactly behaves like Linus Torvald (including svn changelog messages too), if not worse.

    And my personal experience with security@wordpress.org is that, it’s yet another blackhole like those utterly dysfunctional vendors.

  7. Jim Spence says:

    Saturday I was searching for sites related to Search Engine Placement and specifically and found this site.

  8. Security says:

    Now I understand how it works. Keep it up! I love this game.

  9. I always prefer to use Kasperky over Avast or McAfee. Kaspersky is much better in detecting new viruses and it does not consume too much resources on your dektop PC.’*-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,407 other followers