When Yujing Zhang was arrested at President Trump’s Florida resort Saturday, she was carrying four cellphones, a laptop, an external hard drive and the thumb drive, which “a preliminary forensic investigation” determined contained malicious software, according to the criminal complaint filed in a federal court Monday.
It's unclear so far why Zhang, who my colleague Devlin Barrett and David Fahrenthold reported was charged with making false statements and entering a restricted area, was at the resort or what she planned to do with the thumb drive.
But her suspicious cargo serves as a reminder that sometimes even simple tricks can be incredibly effective at stealing information or disrupting data.
It also underscores the complexities of providing cybersecurity for a president who loves to visit his other properties.
Thumb drives remain a popular method for digital attacks because they get around common computer defenses that are more likely to trust something a person inserts directly into the computer. While secure sites such as the White House are likely well-protected against thumb drive attacks, Mar-a-Lago has to balance security with the convenience of a lot of guests who aren’t the president of the United States, notes Mark Rasch, a former federal computer crimes prosecutor.
“You’re only as secure as your weakest link,” Rasch told me.
Malware-infected thumb drives, or USB sticks, have done a lot of damage to the U.S. government before.
The worst digital attack against the Defense Department in history, code-named Buckshot Yankee, began with an infected thumb drive that somehow connected to a classified network and began sending data back to the group that installed the malware — possibly Russian intelligence agencies — as the Post reported back in 2011.
Those classified systems were air gapped — meaning there were no connections between them and the outside Internet. So, an email or Internet link carrying malware couldn’t reach them, but an infected thumb drive plugged directly into the network could.
That 2008 operation was fundamental to the Pentagon’s decision to launch U.S. Cyber Command in 2010, the command’s first chief Keith Alexander has said. It also led the Pentagon to ban flash drives and other “removable media” from its computers, though the policy has many exceptions.
A thumb drive may also have been the delivery method for the Stuxnet worm, which the United States and Israel allegedly developed to slow Iran’s efforts to develop nuclear weapons.
Since the Buckshot Yankee era, thumb drives have become such a common method for spreading malware that digital investigators have given the tactic a name, Rasch said.
They call it a “lollipop drop” when intelligence agents or criminals leave infected thumb drives in an organization’s parking lot — hoping people who work there will pick them up and plug them into computers, Rasch said.
Intelligence agencies have also been suspected of arranging for the thumb drives to be given away at conferences, Rasch said.
As of 2011, the tactic was quite effective.
That year, the Homeland Security Department tested government employees by leaving flash drives in parking lots, according to a Bloomberg News report. The results: About 60 percent of the devices were plugged into computers, and that rose to 90 percent if the devices had an official government logo on them.
Malware-infected thumb drives are so common, in fact, that someone who’s caught with one is as likely to be a victim of hacking as a perpetrator, cautioned Rasch, who teaches courses on computer crime at George Washington University. The fact that Zhang was also carrying six other electronic devices raises suspicions, however, he noted. (The complaint does not provide details about the malware on the thumb drive or say whether Zhang’s other electronic devices were scanned for malware.)
And stories about the president discussing classified information in public spaces at Mar-a-Lago — such as in 2017 when he discussed a North Korean missile test with Japanese Prime Minister Shinzo Abe on the resort’s terrace — would give an adversary’s intelligence service plenty of incentive to try to infect computer networks at the resort with surveillance bugs, Rasch said.
“If I’m a foreign government and wanting to obtain information, I’m going to look at every possibility for an exploit,” he said.
Trump was at Mar-a-Lago this weekend, but there’s no evidence Zhang was ever near him.
Laurence Leamer, a Palm Beach writer who recently wrote a book about Mar-a-Lago, told my colleagues Devlin and David that a person who got past the receptionist desk, as Zhang did, would not be able to enter Trump’s private quarters, but could probably walk past the door to it. “You can go anywhere...There’s no checkpoints once you’re in there," he said.
The Secret Service said in a statement that "Mar-a-Lago Club’s management determines which members and guests are granted access to the property" -- not the Secret Service. "This access does not afford an individual proximity to the President or other Secret Service protectees."
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Russian anti-virus company Kaspersky, which the U.S. government banned from its networks in 2017 over concerns it might spy for the Kremlin, is still trying to clear its name.
The official justification for that ban was a Russian law that U.S. officials said would require Kaspersky to turn over customer information to the Russian government.
Kaspersky has always contended that it doesn’t spy for the Kremlin and that that particular law doesn’t apply to it. On Tuesday, the company circulated a legal analysis from a Swedish professor and expert on Russian law backing up that claim.
Here’s more from Cyberscoop’s Sean Lyngaas: “The analysis, done by Swedish law professor Kaj Hober, contends that Kaspersky Lab does not meet the Russian legal definition of an organization that disseminates information on the internet. Under Russian law, such organizations are required to grant authorities’ requests for metadata.”
“Hober also contended that because Kaspersky Lab does not make software for the purpose of ‘receiving, transmitting, delivering or processing electronic messages’ between internet users, the company would not be obligated to build technical features into products at the requests of Russian authorities.”
Kaspersky sued the U.S. government over the ban but lost at the federal district court and appeals court levels.
PATCHED: Officials are saving a bunch of money by conducting the 2020 Census online, but they’re also inviting hacking and disinformation operations that could undermine people’s faith in the decennial exercise, my colleague Tara Bahrampour reports.
“Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade’s worth of federal funding, congressional apportionment and redistricting throughout the country,” Tara noted.
“Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power,” Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census, told my colleague, adding: “I think there will be lots of attempts. We should be concerned.”
PWNED: Former top military leaders are sounding the alarm about the danger posed by U.S. allies in Europe and Asia using the Chinese telecom Huawei to build their next-generation 5G wireless networks, my colleague Ellen Nakashima reports.
"Chinese-designed 5G networks will provide near-persistent data transfer back to China that the Chinese government could capture at will,” according to the officials, who include retired Adm. James Stavridis and retired Gen. Philip Breedlove, the two most recent commanders of NATO and U.S. European Command,
“There is reason for concern that in the future the U.S. will not be able to use networks that rely on Chinese technology for military operations in the territories of traditional U.S. allies or emerging partners in Europe, Asia, and beyond,’’ the former officials write.
The group also includes retired Adm. Samuel Locklear III, former head of U.S. Pacific Command, and a former director of national intelligence, retired Lt. Gen. James R. Clapper Jr.
The statement comes after Joint Chiefs of Staff Chairman Joseph F. Dunford Jr. forecast a “broad, fundamental” threat to national security if Huawei is permitted to build allies’ networks in a House Armed Services Committee hearing last week.
Sens. Tom Cotton (R-Okla.) and John Cornyn (R-Tex.), who sit on the Senate Intelligence Committee, also cautioned allies against Hauwei in a Post op-ed Tuesday, warning: “If you want to keep your enemies at bay, don’t let in the Trojan horse.”
-- Sens. Tom Cotton (R-Okla.) and John Cornyn (R-Tex.) have harsh words for allies considering allowing Huawei to build their next-generation 5G wireless networks in a Post op-ed: “If you want to keep your enemies at bay, don’t let in the Trojan horse.”
The arguments from the senators, who both serve on that chamber’s Intelligence Committee, mirror those previously made by executive branch officials, but are remarkable for the bluntness of their language.
“Adopting Chinese 5G technology will force the United States to reevaluate long-standing intelligence and military partnerships to protect our security interests,” the senators write.
If allies don’t heed that call, they warn: “We could soon live in an unpredictable environment where information flows at the discretion of an authoritarian power, which at all times has its ear to the door and its finger on the kill switch.”
Huawei has firmly denied spying for the Chinese government. Some intelligence and military officials have begun planning for a world in which Huawei controls large parts of global 5G networks and the United States must mitigate the risk.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: