Pwnie Awards Explained

Status:Active
Frequency:Annual
Genre:Awards Ceremony
Venue:Summercon, Black Hat
Founder Name:Alexander Sotirov, Dino Dai Zovi

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.[1]

Origins

The name Pwnie Award is based on the word "pwn", which is hacker slang meaning to "compromise" or "control" based on the previous usage of the word "own" (and it is pronounced similarly). The name "The Pwnie Awards," pronounced as "Pony,"[1] is meant to sound like the Tony Awards, an awards ceremony for Broadway theater in New York City.

History

The Pwnie Awards were founded in 2007 by Alexander Sotirov and Dino Dai Zovi following discussions regarding Dino's discovery of a cross-platform QuickTime vulnerability and Alexander's discovery of an ANI file processing vulnerability in Internet Explorer.

Winners

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

Winner list from.[31]

2014

2013

2012

The award for best server-side bug went to Sergey Golubchik for his MySQL authentication bypass flaw. Two awards for best client-side bug were given to Sergey Glazunov and Pinkie Pie for their Google Chrome flaws presented as part of Google's Pwnium contest.[37] [38]

The award for best privilege escalation bug went to Mateusz Jurczyk ("j00ru") for a vulnerability in the Windows kernel that affected all 32-bit versions of Windows.[37] The award for most innovative research went to Travis Goodspeed for a way to send network packets that would inject additional packets.[37]

The award for best song went to "Control" by nerdcore rapper Dual Core.[37] A new category of award, the "Tweetie Pwnie Award" for having more Twitter followers than the judges, went to MuscleNerd of the iPhone Dev Team as a representative of the iOS jailbreaking community.[37]

The "most epic fail" award was presented by Metasploit creator HD Moore to F5 Networks for their static root SSH key issue, and the award was accepted by an employee of F5, unusual because the winner of this category usually does not accept the award at the ceremony.[37] [38] Other nominees included LinkedIn (for its data breach exposing password hashes) and the antivirus industry (for failing to detect threats such as Stuxnet, Duqu, and Flame).

The award for "epic 0wnage" went to Flame for its MD5 collision attack,[38] recognizing it as a sophisticated and serious piece of malware that weakened trust in the Windows Update system.[39]

2011

2010

2009

2008

2007

References

  1. Web site: Sony gets 'epic fail' award from hackers . Sutter . John D. . August 4, 2011 . CNN . January 3, 2013.
  2. https://x.com/PwnieAwards/status/1816163089307386359 Some of you may already be aware but due to extenuating circumstances we've made an early award!
  3. https://www.nassiben.com/video-based-crypta Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED
  4. 1557268652197416966. PwnieAwards. Our final nomination for Lamest Vendor Response goes to:Google TAG for “unilaterally shutting down a counterterrorism operation”.. 10 August 2022.
  5. https://www.technologyreview.com/2021/03/26/1021318/google-security-shut-down-counter-terrorist-us-ally/
  6. https://www.verdict.co.uk/googles-project-zero-shuts-down-western-counter-terrorist-hacker-team/?cf-view
  7. Web site: In epic hack, Signal developer turns the tables on forensics firm Cellebrite. Dan. Goodin. 2021-04-21. https://web.archive.org/web/20230523235159/https://arstechnica.com/information-technology/2021/04/in-epic-hack-signal-developer-turns-the-tables-on-forensics-firm-cellebrite/. 2023-05-23.
  8. Web site: Cellebrite Pushes Update After Signal Owner Hacks Device. Joseph. Cox. Lorenzo. Franceschi-Bicchierai. 2021-04-27. https://web.archive.org/web/20230511051709/https://www.vice.com/en/article/qj8pjm/cellebrite-pushes-update-after-signal-owner-hacks-device. 2023-05-11.
  9. Web site: Brazeal . Forrest . The Ransomware Song . https://ghostarchive.org/varchive/youtube/20211221/d2dsI8NvdCU . 2021-12-21 . live. YouTube . 9 August 2021.
  10. Web site: Tsai . Orange . ProxyLogon is Just the Tip of the Iceberg: A New Attack Surface on Microsoft Exchange Server! . www.blackhat.com . 9 August 2021.
  11. Web site: U/OO/104201-20 PP-19-0031 01/14/2020 National Security Agency Cybersecurity Advisory 1 Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers . Defense.gov . 9 August 2021.
  12. Web site: Göktaş . Enes . Razavi . Kaveh . Portokalidis . Georgios . Bos . Herbert . Giuffrida . Cristiano . Speculative Probing: Hacking Blind in the Spectre Era .
  13. Web site: Kolsek . Mitja . Free Micropatches for PrintNightmare Vulnerability (CVE-2021-34527) . 0Patch Blog . 9 August 2021 . en.
  14. Web site: Alendal . Gunnar . Chip Chop - Smashing the Mobile Phone Secure Chip for Fun and Digital Forensics . www.blackhat.com . Black Hat.
  15. Web site: 21Nails: Multiple vulnerabilities in Exim . qualys.com . Qualys . 9 August 2021.
  16. Web site: E-Soft MX survey . securityspace.com . E-Soft Inc. . 1 March 2021 . 21 March 2021.
  17. Web site: Tsai . Orange . Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs! . www.blackhat.com . 7 August 2019.
  18. https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html "Vectorized Emulation: Hardware accelerated taint tracking at 2 trillion instructions per second"
  19. https://eprint.iacr.org/2019/383.pdf "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd"
  20. https://spectreattack.com/spectre.pdf "Spectre Attacks: Exploiting Speculative Execution"
  21. https://meltdownattack.com/meltdown.pdf "Meltdown"
  22. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bock.pdf "Return Of Bleichenbacher’s Oracle Threat (ROBOT)"
  23. https://www.theregister.com/2018/08/31/bitfi_reluctantly_drops_unhackable_claim/
  24. https://pwnies.com/winners/#research "Pwnie for Most Innovative Research"
  25. https://pwnies.com/winners/#bestprivesc "Pwnie for Best Privilege Escalation Bug"
  26. https://pwnies.com/systemd-bugs/ "The 2017 Pwnie Award For Lamest Vendor Response"
  27. https://www.youtube.com/watch?v=d_TmocWyEDY Hello (From the Other Side)
  28. http://www.ieee-security.org/TC/SP2016/papers/0824a987.pdf "Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector"
  29. https://drownattack.com/drown-attack-paper.pdf "DROWN: Breaking TLS using SSLv2"
  30. https://www.youtube.com/watch?v=ZNeFHimR4lQ Cyberlier
  31. https://www.darkreading.com/vulnerabilities-threats/-will-it-blend-earns-pwnie-for-best-client-bug-opm-for-most-epic-fail
  32. https://j00ru.vexillium.org/slides/2015/recon.pdf
  33. https://www.kb.cert.org/vuls/id/552286
  34. https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf "Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice"
  35. https://static.googleusercontent.com/media/research.google.com/pl//pubs/archive/42189.pdf "Identifying and Exploiting Windows Kernel RaceConditions via Memory Access Patterns"
  36. Web site: Experts troll 'biggest security mag in the world' with DICKish submission. at 09:31. John Leyden 5 Oct 2012. www.theregister.co.uk. en. 2019-10-03.
  37. Web site: And Your 2012 Pwnie Award Winners Are... . Sara. Yin . July 26, 2012 . SecurityWatch . PCMag . January 8, 2013.
  38. Web site: Black Hat: Pwnie Awards Go to Flame for Epic pwnage and F5 for epic fail . Sean Michael Kerner . July 25, 2012 . InternetNews.com . January 8, 2013.
  39. Web site: Flame's Windows Update Hack Wins Pwnie Award for Epic Ownage at Black Hat . Lucian. Constantin . July 26, 2012 . IDG-News-Service . PCWorld . January 8, 2013.
  40. Web site: Pwnie Award Highlights: Sony Epic Fail And More . Schwartz . Mathew J. . August 4, 2011 . InformationWeek . January 3, 2013.
  41. https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf "Kernel Attacks through User-Mode Callbacks"
  42. https://www.piotrbania.com/all/articles/pbania-securing-the-kernel2012_UPDATE.pdf "Securing the Kernel via Static Binary Rewriting and Program Shepherding"
  43. http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf "Interpreter Exploitation Pointer Inference and JIT Spraying"
  44. Web site: Twitter Gets 'Pwned' Again . Buley . Taylor . July 30, 2009 . Forbes . January 3, 2013 . https://archive.today/20130216024731/http://www.forbes.com/2009/07/30/pwnie-twitter-blackhat-technology-security-pwnie.html . February 16, 2013 . dead .
  45. Web site: Twitter, Linux, Red Hat, Microsoft "honored" with Pwnie Awards . Brown . Bob . July 31, 2009 . NetworkWorld . January 3, 2013 . https://web.archive.org/web/20090805171646/http://www.networkworld.com/news/2009/073109-black-hat-pwnie-awards.html . August 5, 2009 . dead .
  46. Web site: Black Hat's Pwnie Awards . Naone . Erica . August 7, 2008 . MIT Technology Review . January 3, 2013.
  47. Web site: OpenBSD team mocked at first ever 'Pwnie' awards . https://archive.today/20130217023941/http://www.zdnet.com/blog/security/openbsd-team-mocked-at-first-ever-pwnie-awards/418 . dead . February 17, 2013 . Naraine . Ryan . August 2, 2007 . ZDNet . January 3, 2013.

External links