'Epic Fail': OPM Bests Ashley MadisonPwnie Awards at Black Hat Highlight Best, Worst in Infosec
Nothing says "you really screwed up" like receiving the annual Pwnie Award for "Most Epic Fail" at the annual Black Hat conference.
See Also: From Passwords to Passwordless
Just ask Sony, which received the award - pwnie is hacker-speak for owning or compromising something - in 2011. In fact, Sony that year was nominated five times alone in that category, and faced zero contenders, thanks to the entertainment firm having laid off a significant number of its security staff, just months before suffering 21 separate hack attacks that resulted in the breach of multiple Sony sites, plus 77 million payment card accounts (see Why Are We So Stupid About Passwords?).
Now joining the august ranks of Sony - as well as other past winners such as Apple and Microsoft - is the 2015 Most Epic Fail award winner: the U.S. Office of Personnel Management. The award was bestowed this week at the annual Black Hat conference Pwnie Awards, for which trophies come in the form of spray-painted and occasionally augmented My Little Ponies - or should that be "My Little Pwnie"?
OPM storming to its first-place, epic-fail win won't surprise anyone who has been watching what appears to be the worst known data breach in U.S. government history, with 22 million victims and counting. But OPM, unlike Sony, did at least have some competition from Poland's Plus Bank, which the Pwnie Awards team said "got popped and then pulled a 40-year-old mid-life crisis move and denied everything regardless of the evidence against them"; the dating site AshleyMadison.com for suffering a major hack attack that exposed members' data; and WhiteHat Security for the Chromium-based Aviator "secure browser" it tried to build, which triggered privacy and security warnings from experts.
Best Research: Logjam
Although the Pwnie Awards single out the worst information security happenings over the past year, they also highlight the best. On that front, Matthew Green, a cryptographer and professor at Johns Hopkins University who is part of the team that discovered the 20-year-old flaw known as Logjam, accepted the best research award.
The Pwnie lifetime-achievement award was bestowed on Black Hat stalwart and reverse-engineering expert Thomas Dullien, a.k.a. "Halvar Flake," head of research for German security firm Zynamics, who took home a Goth Pwnie. He also co-presented a briefing at this year's conference, "Exploiting The DRAM Rowhammer Bug To Gain Kernel Privileges," which warned how a hardware bug could be exploited to gain escalated privileges on a device.
Other winners this year included Blue Coat Systems, for "lamest vendor," over allegations that the security and networking hardware vendor blocked researcher RaphaÃ«l Rigo from presenting research relating to the workings of Blue Coat's ProxySG operating system at this year's SyScan technical security conference. Those allegations led Alex Stamos, head of security for Facebook, to call for a ban on buying from Blue Coat.
Any other CISOs want to make the #BlueCoatPledge with me? : I will never spend budget on a security vendor who threatens researchers.” Alex Stamos (@alexstamos) March 26, 2015
The award for most overhyped vulnerability, meanwhile, went to Shellshock. But that selection drew some protests from the security community, including Martijn Grooten, who edits technical website Virus Bulletin. He noted that unlike a lot of vendor-hyped - and over-logoed - flaws, Shellshock is both real and being exploited in the wild.
Pwnie for Shellshock in 'overhyped' category seems unfair. Widely exploited in the wild. No PR machine behind it. https://t.co/pw14awk9DT” Martijn Grooten (@martijn_grooten) August 6, 2015
After this year's Black Hat - with sessions covering hacking everything from Jeep Cherokees' entertainment systems and air gaps to the Android Stagefright flaw and WiFi-enabled rifles - some researchers reported that they were suffering from "vulnerability fatigue."
But as the Pwnie Awards and the annual talks at Black Hat continue to highlight, expect plenty more where that came from.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.