LAS VEGAS—The annual Pwnie Awards at the Black Hat USA conference here celebrate the best security vulnerabilities found by researchers and also ridicule the worst security responses. The Pwnies are a somewhat satirical event that doesn’t take itself all that seriously, but it does represent a snapshot of the year that was in security.
The name “Pwnie” comes from the hacker vernacular “to pwn,” which is the process of taking over or owning a target. The actual award given at the Pwnie show is a My Little Pony child’s toy with an emblazoned Black Hat logo on its posterior.
One of the many categories at the Pwnie Awards is for the Most Epic Fail, with this year’s nominees including the Ashley Madison and U.S. Office of Personnel Management (OPM) hacks. OPM came away with this year’s Most Epic Fail award, as the hack of its systems resulted in 25.7 million Americans being at risk. OPM first admitted it was hacked on June 4, and over the course of the following weeks the true extent of the breach, and OPM’s mismanagement, became known.
Another popular Pwnie category is the Pwnie for Epic 0wnage, awarded to the company or group that was most completely taken over and embarrassed in an attack. OPM was nominated for this award as well, as was security vendor Kaspersky Lab thanks to the Duqu 2.0 malware, which Kaspersky admitted on June 10 had infiltrated its own network.
“Kaspersky sees Duqu wherever they look, even their own network,” remarked Pwnie judge Dino Dai Zovi.
Beating out both OPM and Kaspersky Lab for the Epic Ownage award, however, was Italian security firm Hacking Team, which itself was hacked in July, leading to the disclosure of 400GB of data, including multiple zero-day vulnerabilities in Microsoft and Adobe applications.
Security hype is what the Most Overhyped Bug Pwnie award is all about, and this year’s award went to the Shellshock bug that impacted Linux systems in September 2014.
The Pwnie Awards also celebrate the best in research, and this year the Pwnie for Most Innovative Research went to the team of researchers from Inria, Microsoft Research, Johns Hopkins University, the University of Michigan and the University of Pennsylvania that disclosed the Logjam SSL/TLS vulnerability in May.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.