Hackers to award most over-hyped bug, epic fail

By Robert Westervelt, News Editor 22 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Conficker worm, responsible for infecting millions of machines is one of three nominees for most over-hyped bug for the annual Pwnie Awards.

The informal award ceremony, which takes place each year at the Black Hat briefings in Las Vegas, recognizes security industry failures and over-hyped bugs as well as achievements in the hacker community. The 2009 nominees, which span 10 categories, were announced Tuesday.

The Microsoft RPC worm, known by many as Conficker/Downadup, was thought to have infected an estimated 10 million machines at its peak in January. Media attention reached a frenzy in March, when researchers announced that the worm would change its algorithm on April 1 enabling it to thwart attempts by the Conficker Working Group to disrupt command and control. Conficker updated April 1 with little fanfare.

Still, researchers are puzzled by the botnet's inactivity. Mikko Hyppönen of F-Secure Corp. is intrigued by the mystery of the motives behind Conficker. He plans to present his research next week at Black Hat.

SearchSecurity radio:

Also nominated for most over-hyped bug was an unsubstantiated OpenSSH zero-day flaw. The software is used by ISPs to secure network traffic. Rumors of the zero-day were announced on July 7 by Marcus Sachs, director of the SANS Internet Storm Center. According to the nomination, there were a number of "rash reactions," including one ISP, midPhase, that disabled public SSH ports on all shared accounts.

Clickjacking, a method of tricking users to click on buttons in a Web page, also received a nomination for most over-hyped bug. If used maliciously, the technique could grant site access to the computer's webcam and microphone. Security researchers Jeremiah Grossman and Robert 'RSnake' Hansen, delayed their clickjacking presentation at the OWASP 2009 security conference at the request of Adobe Systems Inc. The two researchers discovered the attack vector and also found a way to execute the same kind of attack in Flash files.

Nominees for Most Epic FAIL included StrongWebmail CEO Darren Berkovitz who issued a challenge to hackers to break into his StrongWebmail email account. Security researchers Aviv Raff, Lance James and Mike Bailey took Berkovitz challenge seriously, exploiting a cross-site scripting flaw to gain access to his account.

Also nominated was "Linux default kernel security," and the Linux kernel development team for their response to Linux kernel errors. According to a team of researchers at MIT, the development team does not distribute updates for all disclosed OS bugs in a timely manner. The MIT team examined the Linux kernel from January 2006 to December 2008 and found that of 218 Linux kernel flaws, 25.7% had more than two weeks of impact delay and 14% had more than eight weeks of impact delay.

"We have shown that, following the disclosure of many core OS bugs, weeks or months lapse before they are identified as security bugs," according to the report. "Based on historical lessons and our own exploit investigation, we conclude that disclosed bugs present a significant security risk until they are fixed with an update, regardless of their perceived security impact."

The final nomination for Most Epic FAIL was Twitter hacking and security of data in the "cloud." Twitter has been the subject of a number of security incidents, including the hijacking of several high profile accounts. It has been frequently targeted by attackers to spread worms and phish users. But the latest incident involves Jason Goldman, director of product management at Twitter, who had his email hacked as a result of poor password practices. Access to his account led hackers to enter other Twitter staff's personal accounts, including Twitter co-founder Evan Williams. The incident became embarrassingly high profile when tech blog TechCrunch posted some of the details, including information on company strategy meetings and email exchanges.

In 2008, Dan Kaminsky accepted the award for Most Over-hyped Bug for his discovery of the DNS cache poisoning flaw. Debian, the Linux OS, received the Most Epic FAIL award for shipping a backdoored OpenSSL library for two years.

Tags: Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary