Update: You can now view a recording of the session while testing yourself against the "Expert" panel! https://www.youtube.com/watch?v=VIS9fXZXJ44&feature=youtu.be&t=5h47m12s "Wait, wait! Don't pwn Me!" is a live, security news game show that pits three security experts (Josh Corman, Chris Eng and Matt Tesauro) against each other in a game of wits. Host Mark Miller, selects topics from the week's security news, posing the news items as limericks, fill-in-the-blank, and audience participation questions. The panel competes against each other, and the audience, for speed and accuracy when answering the questions. During the AppSec USA 2013 Conference, this was a rollicking, high spirited session, exposing the prevalence of security issues highlighted in the main stream news. It demonstrates how hard it is to keep up to date with security updates, even for the experts. Audience members should come prepared as we test their knowledge against the panel, trying to determine what is real news and what is fake. This is a fun filled session where panelists and audience members compete for prizes from the OWASP store. It is sure to put you in a good mood for the rest of the conference.

1. Wait, wait!
Don’t pwn me!
June 2014 Security News Headlines Q&A game

2. Mark Miller Chris Eng
Joshua Corman Matt Tesauro

3. ONLINE NEWS RESOURCES
Hacker News
CSO
CNN
ars technica
The Verge
Threat Post
NetworkWorld
SANS
Brian Krebs
Pandodaily
Forbes
Tesla
FBI.gov
Star Tribune
Errata Security

4. THE RULES
Each correct answer to the initial question is worth 3 points
A wrong answer subtracts 2 points
A pass on the question loses 1 point
If a question is answered incorrectly, the second response is worth 1 point
A correct answer from an audience member gets allocated 2 points to panelist of choice
The moderator may arbitrarily give
or take away points at any time

5. SCORE KEEPER: WE NEED A VOLUNTEER!

6. AUDIENCE PARTICIPATION:
WARM UP

7. Name 2 out of 7 podcast series dedicated to
security.

9. What popular software security company came
out with a campaign to “Put a Monster in your
Corner”?

10. What popular software security company came
out with a campaign to “Put a Monster in your
Corner”?

11. What movie is reportedly getting rebooted
by 'Iron Man 3' director Shane Black?

12. What movie is reportedly getting rebooted
by 'Iron Man 3' director Shane Black?

13. FOR THE PANEL:
HACKS IN THE NEWS

14. How were two 9th graders able to gain full
system credentials on their local ATM?

15. How were two 9th graders able to gain full
system credentials on their local ATM?

16. Name 2 of 5 hardware companies that had
confirmed XSS vulnerabilities within the
past month.

17. Name 2 of 5 hardware companies that had
confirmed XSS vulnerabilities within the
past month.

18. The largest DDoS attack in history hit what
site in Hong Kong last week?

19. The largest DDoS attack in history hit what
site in Hong Kong last week?

20. A flaw has been discovered in the
motherboards manufactured by the server
manufacturer Supermicro. What was the
flaw?

21. A flaw has been discovered in the
motherboards manufactured by the server
manufacturer Supermicro. What was the
flaw?

22. Columbia University researchers developed
a tool they called PlayDrone that indexed
and analyzed what?

23. Columbia University researchers developed
a tool they called PlayDrone that indexed
and analyzed what?

24. FOR EXPERTS ONLY

25. Millions of LinkedIn users were at risk with
what common attack method two weeks
ago?

26. Millions of LinkedIn users were at risk with
what common attack method two weeks
ago?

27. A recently discovered trojan app encrypts
files on what type of devices and asks for
ransom?

28. A recently discovered trojan app encrypts
files on what type of devices and asks for
ransom?

29. A new, powerful banking malware called
Dyreza has emerged. What type of attack
does it use?

30. A new, powerful banking malware called
Dyreza has emerged. What type of attack
does it use?

31. Zeus has a new competitor when it comes
to banking malware. Who is it?

32. Zeus has a new competitor when it comes
to banking malware. Who is it?

33. A loophole in what company’s payment
system allows anyone to double their
money endlessly?

34. A loophole in what company’s payment
system allows anyone to double their
money endlessly?

35. AUDIENCE PARTICIPATION:
IN THE NEWS

36. Elon Musk did something unheard of in
modern business. What was it?

37. Elon Musk did something unheard of in
modern business. What was it?

38. Who was found not guilty in the phone
hacking trial in the News of the World case?

39. Who was found not guilty in the phone
hacking trial in the News of the World case?

40. 4 of the FBI’s top 10 cybercriminals are from
which country?

41. 4 of the FBI’s top 10 cybercriminals are from
which country?

42. REALLY? THAT’S UNBELIEVABLE!

43. A new phishing campaign says it has a tool
to remove what vulnerability from your
desktop computer?

44. A new phishing campaign says it has a tool
to remove what vulnerability from your
desktop computer?

45. Why did Germany recently drop
prosecution of the NSA?

46. Why did Germany recently drop
prosecution of the NSA?

47. According to researcher Robert Graham, of
600K servers scanned, how many are still
vulnerable to HeartBleed?

48. According to researcher Robert Graham, of
600K servers scanned, how many are still
vulnerable to HeartBleed?

49. THE BUSINESS SIDE

50. What restaurant chain has had a credit card
breach since Sept 2013?

51. What restaurant chain has had a credit card
breach since Sept 2013?

52. What is E. Snowden’s former employer
developing to help the government track
you?

53. What is E. Snowden’s former employer
developing to help the government track
you?

54. What company was recently put out of
business after a major hack of their AWS
account?

55. What company was recently put out of
business after a major hack of their AWS
account?

56. On June 11, Target shareholders decided to
do what with 7 of 10 board members?

57. On June 11, Target shareholders decided to
do what with 7 of 10 board members?

58. In baffling move, TrueCrypt open-source
crypto project decided to what?

59. In baffling move, TrueCrypt open-source
crypto project decided to what?

60. Researchers found large global botnet of
infected systems. What type of systems
were they?

61. Researchers found large global botnet of
infected systems. What type of systems
were they?

62. What accounts for 98 percent of worldwide
Google Play revenue?

63. What accounts for 98 percent of worldwide
Google Play revenue?

64. EVERYONE:
FINAL ROUND: LIGHTNING ROUND

65. Feedly and Evernote went down from DDoS
attacks. What did the attackers want?

66. Feedly and Evernote went down from DDoS
attacks. What did the attackers want?

67. Name 2 of 5 companies that were held for
ransom recently, with the attackers
demanding to be paid in BitCoin.

68. Name 2 of 5 companies that were held for
ransom recently, with the attackers
demanding to be paid in BitCoin.
Vimeo, Mailchimp, Shutterstock, Feedly, Evernote

69. Robert Scoble called it “the stupidest, most
addictive app I’ve ever seen in my life.”

70. Robert Scoble called it “the stupidest, most
addictive app I’ve ever seen in my life.”

71. What is the most pirated show in history?

72. What is the most pirated show in history?

73. “Red Button Flaw” exposes major
vulnerability in millions of what?

74. “Red Button Flaw” exposes major
vulnerability in millions of what?

75. According to Network World, what is the
next “circle of hell” for the security
community?

76. According to Network World, what is the
next “circle of hell” for the security
community?

77. Within 10%, what percentage of security
attacks are the result of human error?

78. Within 10%, what percentage of security
attacks are the result of human error?

79. According to the NSA, how loud was
Edward Snowden’s whistle?

80. According to the NSA, how loud was
Edward Snowden’s whistle?

81. What European country is used as the NSA’s
largest listening post?

82. What European country is used as the NSA’s
largest listening post?

83. Why were 5 security apps recently booted
from Google Play and Amazon?

84. Why were 5 security apps recently booted
from Google Play and Amazon?

85. Google shuts down malicious 'Google Play
Stoy' app. What did the app do?

86. Google shuts down malicious 'Google Play
Stoy' app. What did the app do?

87. A Chinese company making smartphones
ships the phones with what specialized
software pre-installed?

88. A Chinese company making smartphones
ships the phones with what specialized
software pre-installed?

89. What is the WiFi password for the Brasil
World Cup Security Center?

90. What is the WiFi password for the Brasil
World Cup Security Center?

91. What is the WiFi password for the Brasil
World Cup Security Center?

92. TALLY THE SCORE: WHO WON?

93. Mark Miller Chris Eng
Joshua Corman Matt Tesauro

94. Wait, wait!
Don’t pwn me!
June 2014 Security News Headlines Q&A game