Software Integrity

 

The 2016 Pwnie Award nominees announced

On Monday the Tenth Annual The Pwnie Awards nominations were announced in 16 categories.

The awards, literally a spray-painted My Little Pony, are given out each year at the Black Hat USA conference will take place on Aug 3rd, 2016 in Las Vegas. The awards are “judged by a panel of respected security researchers – the closest to a jury of peers a hacker is likely to ever get.”

Perhaps the most anticipated category is Pwnie for Best Junk or Stunt Hack. To give a sense of how these nominations are written, here’s what they have on their site for this award.

Pwnie for Best Junk or Stunt Hack (new for 2016!)

Awarded to the researchers, their PR team, and participating
journalists for the best, most high-profile, and fear-inducing
public spectacle that resulted in the most panic-stricken phone
calls from our less-technical friends and family members. Bonus
points for it being a needlessly sophisticated attack against a
needlessly Internet-enabled “Thing.”


  • WhatsApp Message Hacked By John McAfee And Crew

    Credit: John McAfee

    The reigning master of hacking and presidential campaign performance
    artist of our time, John McAfee, broke the news of his hack to
    Cybersecurity Ventures by phone that his team was able to
    demonstrate that WhatsApp messages between two cooperating
    researchers using compromised Android phones … could be
    compromised. They breathlessly reported that:

    Cybersecurity expert John McAfee and a team of four other
    hackers, using their own servers located in a remote section
    in the mountains of Colorado, were able to read an encrypted
    WhatsApp message.

    While the fact that end-to-end cryptography could be
    compromised at either end should not be news to many here, we all
    should heed McAfee’s warning:

    I have been warning the world for years that we are
    teetering on the edge of an abyss, that our cyber security
    paradigms no longer function, and that chaos will descend
    if something is not done. The fundamental operating system
    (Android), used by 90% of the world, and that should be the
    first bulwark against malicious intrusion, is
    flawed. Should I not bring this to the world’s attention
    through a dramatic demonstration? Do I not owe it to the
    world?

    Yes, John, yes you do.


  • Remotely Killing a Jeep on the Highway

    Credit: Charlie Miller and Chris Valasek

    They may not have been the first
    first,
    but in our not-so-biased opinion, Charlie and Chris wore it
    best. The car hacking papers from researchers at UCSD and UW
    just lacked sufficient…

    Andy Greenberg freaking out.

    This high-profile demo caused Chrysler to

    recall

    1.4M vehicles in order to address the vulnerabilities that
    Charlie and Chris identified. More importantly, it
    demonstrated to the entire industry how expensive not properly securing
    smart vehicles’ systems could be and that proper software
    security programs just might be a good idea.


  • Hacking a Linux-Powered Rifle

    Credit: Runa Sandvik and Michael Auger

    If a hacked and out of control car on the freeway doesn’t
    scare you into never leaving the house, maybe a hacked
    precision-guided rifle will. Runa and Michael showed just how
    this nightmare scenario could come true. When asked why they’d
    hack a firearm, Runa replied:

    “Because cars are boring.”


    Tell that to Andy Greenberg.


  • “60 Minutes” Hacking Your Phone with a Hacked Phone

    Credit: John Hering, Jon Oberheide, Adam Laurie, et al

    Engadget
    described
    a particularly hand-wavey demo thusly:

    At the beginning of this contrived little drama, Alfonsi is
    using an iPhone. You know how everyone and everything these
    days is telling you not to click links, download files or
    install applications you don’t expect to receive? Well, he
    told her to do exactly that — click, download, install his
    app — with a text message he sent her. To do this in real
    life, she’d receive warnings, and she’d have to disable the
    security features on her iPhone. But in the next shot,
    suddenly our reporter is being spied on by Hering though an
    Android phone propped up on her desk.

    So, let’s make sure that we got this straight:

    1. Turn on “Unknown sources” to allow your device to
      install whatever malicious app the horrible mobile porn
      sites you frequent decide that you need installed.
    2. Turn off “Verify Apps” so that Google can’t scan those
      drive-by installed apps and inform you that they’re all sorts
      of bad.
    3. When you receive a text message from an unknown number
      with a link to install an app, tap that link like you know
      you’re supposed to with all suspicious links in unsolicited
      messages from unknown senders.
    4. When Android tells you that the app requires all sorts
      of ridiculous permissions to run, you tap “Yes, I am an
      adult and know what all of that meant” (even though you
      didn’t).
    5. Now that you’ve given a total Internet Stranger (who
      tend to be stranger than IRL Strangers) complete access to
      your phone, act totally surprised when they use that
      access to your phone to access your phone.

  • Security Analysis of Emerging Smart Home Applications

    Credit: Earlence Fernandes, Jaeyeon Jung, Atul Prakash

    As long as you stay off the roads, you’ll be safe from hacked
    cars. As long as you don’t go outside, you’ll be safe from
    hacked sniper rifles. As long as you turn off your smart
    phones, you’ll be safe from it being tracked and hacked
    too. Just stay home, where you’ll be safe from all of that
    insecure “smart” crap getting hacked… or not.

    These researchers from University of Michigan demonstrated how
    weaknesses in Samsung’s SmartThings and SmartApps could be
    abused to plant backdoor door unlock codes, steal existing
    door unlock codes, disable home vacation mode, and trigger a
    fire alarm. All the attacker needs to do is trick their victim
    into installing a fake app and steal an OAuth token from an
    existing SmartApp. How to do that is left as an exercise for
    the reader, but maybe John McAfee or John Hering would be
    willing to help them out.

    That’s just one category. The rest of the nominations in all the categories can be found here.