June 21, 2018
Everyday Hacking: Always Gather Information
June 21, 2018
By: Jeremiah Johnson @Ka0sDem0n on Cybrary Insider Slack
Edited by: Gabrielle Hempel @Gabsmashh on Cybrary Insider Slack
I had the chance to check out an embedded system that I will be providing the hardware and assisting with the installation for. I went to a competitor who is already using the system to see what I could find out from a consumer point of view, and I noticed that I could gather a ton of information just by paying attention to the staff and other patrons. So how does one get hack-tastic in his everyday life? What I’m going to talk about are the observations I saw while checking out a system that I will be installing. When talking about shoulder surfing, Leo Dreger with Cybrary.it suggests you pay attention to one finger at a time; however, shoulder surfing can be more than just gathering passwords -- it can be a great way to observe humans in nature. I was at one of those “Adult Arcades” that uses a swipe card-based system for tokens or accessing games. They had a number of games, from ones that would win you tickets (which would be put on the swipe card should you win) to standard arcade games such as Time Crisis. They also had clones such as Flappy Bird in their own stand-up machine, along with a VR attraction. We can learn so much from just a day out playing arcade games.
The first thing I was attempting to do was listen to conversations: what accents can I pick up, where are people from, who doesn’t really want to be there? There was a small problem: it was so loud that it rendered me basically deaf. If you aren’t standing next to a person, then you won’t hear what they are saying. So that killed listening. This left visual observation, from which we can still learn a lot. What are the adults playing versus the 5-12 year olds, or the 13-17 age range? Adults were playing what appeared to be the coin skill games, where you drop a coin and try to push the others off a ledge. There were five to six different versions of this same game: Wizard of Oz, Star Trek, Poker-themed, just to name a few. The younger generation was playing games of chance. There were very few playing the true arcade games, and I believe this is because they don’t net you anything. The VR attraction was popular as well. So, what does this tell us? Skin something several different ways, and you can get people to act on something similar, which means we could write a webpage to infect the populous and create multiple versions, sci-fi, and popular movies. Getting people to click something to give us access is the end goal.
While information gathering for the hardware, or walking around watching people looking for a game to play, I was watching the employees interact with the machines. They were using Near Field Communications to access sub menus on the swipe card readers. Techs had a bracelet they would tap on the screen to access the system. However, it was a pretty open setting, so just accessing the system with NFC wouldn’t be the best route to choose. They had terminals to reload the swipe cards, which I know from the specs, lead back to a server typically in building. There are the swipe cards themselves, which could be run through a skimmer and inspected for the data on them. Does the server maintain balances, or are they embedded in the cards?
We can learn a lot from just being in the world, like how people think and react to different stimuli. How should we target different age ranges? What is new that we may have missed? Even though we all sit behind computer screens or cell phones, seeing people in a natural element will help you no matter which hat you wear.
TL;DR: You can gather a ton of information from just being in the world, for both hardware and social engineering. Finding out what is popular or new will help you take root.