Euro Security Watch with Mathew J. Schwartz

Black Hat , Events

'Epic Fail': OPM Bests Ashley Madison

Pwnie Awards at Black Hat Highlight Best, Worst in Infosec
'Epic Fail': OPM Bests Ashley Madison

Nothing says "you really screwed up" like receiving the annual Pwnie Award for "Most Epic Fail" at the annual Black Hat conference.

See Also: How to Take the Complexity Out of Cybersecurity

Just ask Sony, which received the award - pwnie is hacker-speak for owning or compromising something - in 2011. In fact, Sony that year was nominated five times alone in that category, and faced zero contenders, thanks to the entertainment firm having laid off a significant number of its security staff, just months before suffering 21 separate hack attacks that resulted in the breach of multiple Sony sites, plus 77 million payment card accounts (see Why Are We So Stupid About Passwords?).

Now joining the august ranks of Sony - as well as other past winners such as Apple and Microsoft - is the 2015 Most Epic Fail award winner: the U.S. Office of Personnel Management. The award was bestowed this week at the annual Black Hat conference Pwnie Awards, for which trophies come in the form of spray-painted and occasionally augmented My Little Ponies - or should that be "My Little Pwnie"?

OPM storming to its first-place, epic-fail win won't surprise anyone who has been watching what appears to be the worst known data breach in U.S. government history, with 22 million victims and counting. But OPM, unlike Sony, did at least have some competition from Poland's Plus Bank, which the Pwnie Awards team said "got popped and then pulled a 40-year-old mid-life crisis move and denied everything regardless of the evidence against them"; the dating site AshleyMadison.com for suffering a major hack attack that exposed members' data; and WhiteHat Security for the Chromium-based Aviator "secure browser" it tried to build, which triggered privacy and security warnings from experts.

Best Research: Logjam

Although the Pwnie Awards single out the worst information security happenings over the past year, they also highlight the best. On that front, Matthew Green, a cryptographer and professor at Johns Hopkins University who is part of the team that discovered the 20-year-old flaw known as Logjam, accepted the best research award.

The Pwnie lifetime-achievement award was bestowed on Black Hat stalwart and reverse-engineering expert Thomas Dullien, a.k.a. "Halvar Flake," head of research for German security firm Zynamics, who took home a Goth Pwnie. He also co-presented a briefing at this year's conference, "Exploiting The DRAM Rowhammer Bug To Gain Kernel Privileges," which warned how a hardware bug could be exploited to gain escalated privileges on a device.

Other winners this year included Blue Coat Systems, for "lamest vendor," over allegations that the security and networking hardware vendor blocked researcher Raphaël Rigo from presenting research relating to the workings of Blue Coat's ProxySG operating system at this year's SyScan technical security conference. Those allegations led Alex Stamos, head of security for Facebook, to call for a ban on buying from Blue Coat.

But Blue Coat did earn some kudos for sending a representative to collect its award, who reportedly took the stage to claim: "I was on vacation when that happened."

Shellshock, Overhyped?

The award for most overhyped vulnerability, meanwhile, went to Shellshock. But that selection drew some protests from the security community, including Martijn Grooten, who edits technical website Virus Bulletin. He noted that unlike a lot of vendor-hyped - and over-logoed - flaws, Shellshock is both real and being exploited in the wild.

After this year's Black Hat - with sessions covering hacking everything from Jeep Cherokees' entertainment systems and air gaps to the Android Stagefright flaw and WiFi-enabled rifles - some researchers reported that they were suffering from "vulnerability fatigue."

But as the Pwnie Awards and the annual talks at Black Hat continue to highlight, expect plenty more where that came from.

Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.