Securing our home network

How many of us go through great lengths to physically secure our families but then do relatively nothing to ensure their security digitally?  Admittedly, that used to be me.  I had the “WIFI door cam.” I had numerous “tools” for home/self defense. Yet, I did nothing to protect our digital security except install an antivirus and call it a day.  Through cybersecurity training and mistakes on my part, I’ve learned my lesson. That might be barely enough to squeak by for a single guy, but as a father with kids–that is not enough.  Recently, an incident happened that greatly reinforced this lesson.  I’m sharing it so others might avoid this near catastrophe. 

"The Incident"

At precisely 7:37PM, I get an alert on my phone that my daughter’s tablet is visiting an infamous porn site–Bangbros.  So, of course I do what every dad would do with a 10 year old daughter– I run into the living room to grab the tablet. Thankfully, its not in her possession. She’s watching a movie with my wife.  Unfortunately, that means we’ve got a more complicated problem.

The App

After opening the tablet and signing in, I wasn’t greeted by porn. I was greeted by animated “Character Maker” game for kids. It allows children to create their own custom ‘cartoon characters.’  Seems innocent enough right?  Wrong- As i’d later find out. 

The Investigation

Recently, I set up a Security onion intrusion detection/network monitoring device to monitor all the traffic in and out of my home network. It was time to put this thing to good use. I pulled all the packet capture(PCAP), which are copies of the data packets that have streamed across the network, for that time period. I opened them up in wireshark and sure enough– there were multiple porn and phishing TCP connections made by her device during that time period. It wasn’t a false firewall alarm. 

Now that I knew it wasn’t a false alarm on my firewall’s part, I decided to see if my initial suspicions concerning that app were correct. I downloaded the app .apk file from online, verified it was the same version and then ran it through an initial analysis using Joe’s Sandbox malware analysis engine.  Sure enough, it came back malicious.  This was enough to warrant further investigation.  I’ve found Joe’s Sandbox to be a bit “sensitive” but its fairly accurate and is a great tool to flesh out any initial suspicions. You can find the full malware analysis report by clicking on the characterization diagram.


Malware Analysis Report

Investigation Ongoing

After, I got the results of the initial analysis from Joe’s Sandbox, I pulled the logs from the tablet. Upon looking through the logs, I discovered multiple “malformed cpu data” entries. Every entry contained a GUID which matched the app in question. It appears that the app has a time discrepancy problem. I’m still investigating this further.  I also found evidence that the app is “freezing the screen” at the same time it is establishing connections via TCP. I assume this is to prevent the user from seeing the exact nature of the connections. 

click to expand

"Lessons Learned"

  1. A good network based firewall is a must. — I never would have gotten an alert with a standard internet service provider router based firewall.  Without the alert, who knows what this malware/spyware app would have done.

  • There are many good router/firewalls or standalone firewalls out there but you probably won’t find one at a big box store.  Here are a few to consider.
  • Firewalla Gold — 3Gbps Router/firewall/IPS/IDS . I highly recommend this bad larry for home networks. The IDS/IPS portion of the firewall is based off ZEEK which is an industry renowned Intrusion detection/intrusion prevention tool.  Its easy to setup, easy to configure, and allows excellent granularity over what content you permit on individual devices. If you want to easily filter content from your kids devices from a central management interface, this is the device for you.
  • Sophos Xg –Enterprise grade firewall/IPS/IDS.  Sophos Xg is software thats normally found installed on corporation or business class firewall appliances/routers. Sophos offers it free for home use. This is an excellent choice for the “techie.” You can install it on a virtual machine, a mini form factor pc, or even an old desktop if you install additional NIC cards.   It requires 6gb of ram and I recommend a minimum of 200gb hard drive for log capture. Note- this may not be used if any business is being run out of the home. A paid version must be acquired at that point.  I recommend this if you are self hosting any kind of external services such as a web blog or email.  I’d recommend installing this on a device such as the “Protectli Vault” or a comparable “Qotom” Mini form factor PC with at least 2 cores and 6gb of ram.

2. Audit our children’s devices regularly- -Malware/Adware creators are getting better and          better at disguising their creations as legitimate apps.  We as parents need to not just              check content but also look for signs that the app isn’t legitimate. We should also check          the device at least once a week to make sure no unauthorized apps have been installed.

Is this app legit?

  • Here are a couple of quick ways to tell if an app might present a security threat. 
  • Obscure/Unknown/Foreign Developer– If the developer of the app is some obscure foreign company you’ve never heard of, you may want to exercise caution. We’ve all heard of Disney. I bet no one heard of the developer of the incident app.   This isn’t a clear cut indicator but it definitely should peak interest if you notice this. 
  • Excessive Permissions– If the app you just installed is asking for permissions that seem unrelated to its function, treat this as very suspicious. If your “wifi thermometer app” is asking for permission for your camera, or contacts, you don’t want that app. 

Bottom Line

Don’t fall into the trap of thinking that because you’ve armed yourself and you’ve secured yourself/home physically that’s all you need to do. Cyberspace is an entire universe and it has a portal on every single internet connected device in your home- Including the one your kid is using.  If you’d take time to secure your front door then you should take time to secure your digital front door as well.