Want more cybersecurity news and analysis in your inbox? Sign up for The Cybersecurity 202.
Cybersecurity experts are scratching their heads over the Secret Service investigation into the thumb drive infected with malicious software that was carried by a Chinese citizen arrested at Mar-a-Lago.
A law enforcement source tells me that investigation was conducted according to protocol: A Secret Service agent loaded the drive onto a stand-alone computer that was segregated from government networks and watched as it did what malware is supposed to do -- infect files and try to steal information.
But testimony from Secret Service agent Samuel Ivanovich, who described the same testing in a court hearing Monday, sure made it sound like someone goofed.
“Ivanovich … testified that when the thumb drive they recovered from [Yujing] Zhang at the club was inserted into another agent’s computer ‘a file immediately began to install itself,’” my colleagues Lori Rozsa and Devlin Barrett reported. “The agent, Ivanovich said, had never seen that happen before.”
“He knew it was something out of the ordinary,” Ivanovich said of the other agent. “He had to immediately stop his analysis and shut down his computer in order to stop it.”
It’s that final line about that had cybersecurity experts worried.
“In a lab, you want that malicious behavior to happen to its full level of badness so you can study how it operates,” Jake Williams, founder of the cybersecurity company Rendition Infosec, told me. “If he yanked the USB drive out to prevent further contamination, that’s highly indicative this wasn’t in a lab.”
Specialized labs for testing malware typically mimic all the things in a regular computer network that malware might manipulate — but they don’t contain any useful information that could be stolen or corrupted. And they’re “air gapped” from the Internet, so there shouldn’t be any concern about the malware spreading somewhere and doing harm.
The Secret Service declined to comment about the disconnect between the agent’s actions and what cybersecurity experts described as standard procedure when investigating malware, citing the ongoing investigation.
Williams, who previously worked for the National Security Agency, said he couldn’t think of a situation in which a trained malware analyst would stop an investigation part of the way through — and he wouldn’t expect someone who wasn’t a trained malware analyst to have access to the proper testing environment.
Cybersecurity experts were quick to pounce on Ivanovich's testimony -- and the seeming error.
“This is international cybersecurity warfare and they just stepped on a land mine,” Joe Hall, chief technologist at the Center for Democracy and Technology think tank, told me. “Hopefully that laptop had very little information on it.”
Lesley Carhart, principal threat hunter at the cybersecurity firm Dragos, succinctly summed up the mood of information security experts:
I didn’t really expect secret service field officers to have forensics capability, but I did expect a “no USB” policy.— Lesley Carhart (@hacks4pancakes) April 8, 2019
Williams was quick with a useful analogy:
This is equivalent of the Secret Service testifying "we knew the gun was dangerous because the agent shot himself in the foot with it. Then he needed surgery. Very dangerous indeed..."https://t.co/Vz9qiuKvFM pic.twitter.com/A9s7vhIbpS— Jake Williams (@MalwareJake) April 8, 2019
Cryptography expert and Georgetown University Professor Matt Blaze was intrigued that the malware made itself known so quickly — maybe suggesting it wasn’t very good.
I wonder how they noticed what it was doing. I‘d have thought the set of people careless enough to insert suspect USB sticks into computers yet vigilant enough to notice something subtly amiss would be close to empty. Maybe this was crappy malware that trigged popup alerts?— matt blaze (@mattblaze) April 8, 2019
Carhart also noted that even highly skilled malware analysts have screwed up and infected things they shouldn’t have.
Half the malware analysts I know have infected their host machine by screwing up VMware USB settings. The other half are liars.— Lesley Carhart (@hacks4pancakes) April 8, 2019
The arrest has sparked broad concerns about security at Mar-a-Lago, which, unlike previous presidential retreats, is frequented by numerous people beyond the president and his guests.
In addition to the malware-infected thumb drive, Zhang was carrying four cellphones, a laptop and an external hard drive, according to the initial criminal complaint.
“A subsequent search of Zhang’s hotel room turned up more that alarmed investigators: nine thumb drives, five SIM cards for cellphones, about $8,000 in cash, several credit and debit cards, and a device used to detect hidden cameras, officials said,” according to my colleagues Lori and Devlin.
There’s no firm evidence yet that Zhang was working on behalf of the Chinese government or another nation’s intelligence service, but the plethora of digital hardware is enough to give any information security analyst heartburn — especially because Trump has a history of discussing sensitive information in open-air portions of the resort.
Lawmakers are taking notice, too.
Senate Minority leader Chuck Schumer (N.Y.) demanded Monday that Secret Service Director Randolph “Tex” Alles, whose departure was announced yesterday, testify before Congress about the incident.
The outgoing Secret Service director Randolph “Tex” Alles must testify before Congress as soon as possible about the potential security vulnerabilities at Mar-a-Lago involving a Chinese national arrested with malware, and other counterintelligence and national security threats.— Chuck Schumer (@SenSchumer) April 8, 2019
The Secret Service noted in a statement shortly after Zhang’s March 30 arrest that “club management determines which members and guests are granted access to the property” although “this access does not afford an individual proximity to the President or other Secret Service protectees.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Mastercard, Microsoft and Workday are announcing a new initiative this morning aimed at getting new college graduates into government cybersecurity jobs.
The companies are partnering with 11 federal agencies that will offer two-year fellowships to about 50 recent graduates starting in 2020, officials told me. Once they complete those two years with government, the fellows will be offered fast-track consideration for full-time cybersecurity jobs at one of the program sponsors plus up to $75,000 in college loan forgiveness.
The agencies are paying the cost for the fellowships, but the companies are footing the bill for the administrative costs and the loan forgiveness. The program is being managed by the Partnership for Public Service, a non-profit focused on government efficiency. The effort is aimed at reducing a national shortage of cyberscurity workers that's curently hovering around 300,000 trained workers, according to government data.
Participating federal agencies include the Defense and Energy departments as well as the FBI and CIA.
The organizations hope to run the Cybersecurity Talent Initiative every year and to add new corporate sponsors and new participating agencies along the way, Mastercard Chief Security Officer Ron Green told me.
One benefit for the companies is that, by the time the fellows arrive in the private sector, they’ll have experience protecting against the sophisticated and often nation-state backed hackers that target government, he said.
While the program is designed for fellows to just work two years in government, Partnership for Public Service CEO Max Stier told me he hopes some fellows will either stay in government or bounce back and forth between government and industry throughout their careers.
Correction: A previous version of this article incorrectly cited agencies involved in the initiative. Homeland Security is not involved at this point.
PATCHED: Senators reintroduced two cybersecurity bills from last Congress Monday. The State Cyber Resiliency Act, sponsored by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.) would create a DHS-run grant program for states to improve their cybersecurity protections.
The Cyber League of Indo-Pacific States Act, sponsored by Gardner and Sen. Chris Coons (D-Del.) would create a cybersecurity alliance in the region focused on sharing digital threat information, extraditing cyber criminals between nations and collectively imposing consequences on nations that violate norms of good behavior in cyberspace.
PWNED: The resignation of Secret Service Director Alles marks another blow to the top ranks of government cybersecurity leadership one day after Homeland Security Sec. Kirstjen Nielsen offered her own resignation.
The Secret Service is responsible for investigating a large share of financial cybercrimes. The twin departures could hinder the government’s civilian cybersecurity mission, which has been largely managed out of DHS since the elimination last year of the White House cybersecurity coordinator position.
Senior DHS officials are “in a fog about the fate of their agency’s leaders, expecting more firings as part of a widening purge,” my colleagues Nick Miroff, Toluse Olorunnipa, Josh Dawsey and Carol D. Leonnig reported.
“Several administration officials...said Monday that Trump appears to be taking out his frustrations on the entire DHS leadership, convinced he needs a full sweep,” they reported.
Cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: