On trusting devices and apps
2013-12-30 19:17:47.547347+00 by Dan Lyke 1 comments
So I made this off-hand comment on Friday, but thought it deserved a little expansion, especially in light of Jack William Bell's comments on the "NSA interception of hard goods" entry.
A. is Charlene's developmentally disabled younger brother. Earlier this year, we found a deal on a cheap Android tablet, and got it for him for Christmas. We also loaded a bunch of games and other apps on to it, but because we had trouble gauging what he would and wouldn't be able to use, and because many games and apps use an in-app purchasing or advertising supported model and don't have a for-pay option, some of those were free apps.
And it's 4.1, not 4.3 where the parental controls were implemented, so he has unrestricted web browsing along with these free apps.
I work for the ISP that we use at home. Said ISP has policies which try to disassociate IP addresses from user accounts, but I have a static IP address which overrides most of those protections. And said ISP also maintains a blacklist of malware sites for their primary DNS servers, by default domain names associated with the worst offenders will be redirected to an internal web page which tells you that the domain is blocked, and that you can switch your name servers if you want to work around this...
... or provides a form where you can request unblocking of a given domain.
On Friday I'm sitting in my cube and one of the ops guys wanders by and says "the most interesting tickets are being generated by something coming from your IP address...", and we look, and we see a few tickets where the form fields have HTML and BBCode with links to findyourinsurer.com and myedguide.com and the like, sites advertising cheap car insurance and solutions to erectile dysfunction (why people interested in erectile dysfunction drugs might also need cheap car insurance is left as an exercise for the reader).
And we go look in the server logs for that blocking machine, and we see referrers from scammy toolbar sites, lol.searchpin.us and www.searchbar.me, with a user agent of:
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"
I quickly call Charlene, she hasn't run Windows recently, so I assume it's some cross-site-scripting exploit that A.'s triggered on the Android tablet, and either Chrome or the Android browser on the tablet is doing wonky things with the user agent.
Except that as I dig through the logs for my web site, which I know we browsed with Chrome, at least, I don't see any hits from that user agent.
So the best guess at this point is that one of those free apps is posting spam. Or something else on my network was infected. Or...
I need to put a new hard drive in my house server and do some admin work on it, and in the process I want to put in some monitoring. A logging DNS proxy. I suppose that in terms of being truly paranoid I'm behind the curve, but before we left on Saturday morning I turned off the house server, and need to think about better firewall strategies.
And then I need to think about how I can start to build a net architecture that knows something about what data is flowing where, so that we can find anomalies. And think more about going back to paper.
The tablet is now with A. at his house, and on someone else's network so it's no longer my problem and will be difficult to diagnose, but it is making me paranoid.