Pwnie Awards Celebrate Security Wins and Epic Fails

Contributing Writer

The Pwnie AwardsThe Pwnie Awards

Online security is serious business, but that doesn't mean you shouldn't take some time to horse around. At this year's Black Hat security conference in Las Vegas, Nevada, some of the top security experts in the field gathered for the Pwnie Awards, a tongue-in-cheek celebration of the past twelve months' most exciting wins — and its most epic fails. 

Heartbleed, Goto Fail and Mt. Gox were among this year's Pwnie award winners, receiving awards shaped like a security-themed My Little Pony figure, complete with a fedora "cutie mark" (as it's called in the My Little Pony universe) on the Pwnie's flank.

MORE: 7 Scariest Security Threats Headed Your Way

First off, the Pwnie for Best Server-Side Bug discovered in the last 12 months went to Google security researcher Neel Mehta and Finland-based security company Codenomicon for discovering Heartbleed. The sweeping and highly compromising flaw was located in the encryption software used by many websites, servers, routers and operating systems including Ubuntu Linux and Android 4.1.1.

Runners-up included Michele Spagnuolo for discovering the "Rosetta Flash" bug, which could be exploited to let attackers steal authentication tokens from many websites, including Google, Twitter, eBay, Tumblr and Instagram.

The next award, celebrating the Best Client-Side Bug, went to the Google Chrome Arbitrary Memory Read Write Vulnerability, a flaw in the Google Chrome OS operating system discovered this March by prodigious 24-year-old hacker George Hotz, a.k.a. Geohot.

It's also a win for Google's new Project Zero security team, who shares ownership of the award and of which Hotz is a member. Project Zero is a newly formed group of in-house Google researchers whose sole task is to sniff out vulnerabilities anywhere on the Web.

The third award was for Best Privilege Escalation Bug discovered in the last 12 months, or a bug that could let attackers increase their privileges on a targeted device, and thus effectively seize control of all the device's processes. The Pwnie went to the AFD.sys Dangling Pointer Vulnerability, discovered by Sebastian Apelt. This flaw in the Microsoft Windows operating system could be exploited to give remote attackers high privileges on the targeted computer.

Among the runners-up for Best Privilege Escalation Bug was the evad3rs jailbreak development team for an iOS 7 jailbreak called evasi0n. 

MORE: Jailbreak, Root or Unlock Your iPhone: FAQ

It 'sounds' crazy, but the Pwnie for Most Innovative Research went to the discovery that the sounds a computer makes as it decrypts a file could be used to determine the given encryption key used to unlock that data. Researchers Daniel Genkin, Adi Shamir and Eran Tremor first revealed their "acoustic cryptanalysis" findings last December.

The last three Pwnie awards were the most tongue-in-cheek. First, the award for Lamest Vendor Response (i.e. a software company responding poorly to being told there was a flaw in its products) went to Czech security and antivirus software company AVG. AVG claimed that the group of serious flaws found in its Remote Administration software were actually features and there "by design." The Pwnie judges weren't buying it.

Next was the award for Most Epic Fail, which went to Apple for the Goto Fail bug found on iOS 6 and 7 devices, and OS X 10.9 Mavericks computers. Goto fail could be exploited to undermine the SSL encryption that's supposed to protect users' Internet traffic from snoops and spies.

Runners-up for Most Epic Fail included the open-source community for the Heartbleed bug (as OpenSSL, the software in which Heartbleed is found, is open-source software maintained by volunteers), and Target, for the security oversights that lead to the massive data breach at Target retail stores last Fall.

Last but not least, the Pwnie for Most Epic 0wnage (with a zero instead of an "O") went to Mt. Gox, the Bitcoin exchange service that abruptly shut down this March, costing its users more than 850,000 bitcoins — or 473 million U.S. dollars. Runners-up in this unenviable category also included Heartbleed and Target.

How were the Pwnie award winners chosen? The judges — Brandon Edwards, Justine Aitel, Dino Dai Zovi, Chris Valasek, Mark Dowd and Alex Sotirov — are all experts in the security field, but assured audiences that Pwnie winner selection was largely arbitrary. 

"What do we mean by interesting [win or fail]?" joked Dai Zevi to the Black Hat crowd. "We mean interesting to us."

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.