That story about the Chinese woman accused of unauthorized entry to Trump’s Mar-a-Lago? It gained a weird new twist this week.
The Feds protecting the President supposedly found a USB stick and did the last thing you should ever do with an untrusted device—they stuck it into a PC. A Secret Service agent testified the PC then behaved in a “very out-of-the-ordinary” way. It’s still unclear what Yujing Zhang was attempting to do at President Trump’s private club in Florida.
On the face of it, this is really appalling operational security. But in today’s SB Blogwatch, we dig a little deeper.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: it.
What’s the craic? Here’s Dan Goodin, in “Thumb drive carried by Mar-a-Lago intruder immediately installed files on a PC”:
The already suspicious account of a Chinese national who allegedly carried four cellphones, a thumb drive … and other electronics as she breached security … just grew even more fishy. … Yujing Zhang’s hotel room had a signal detector and additional suspicious possessions. … The malware she carried may have been able to infect computers as soon as it was plugged into a computer..
A preliminary forensic investigation found the thumb drive contained malware. [But the] testimony from the Secret Service raises questions about the security practices that the agency takes. … An agent examining the seized thumb drive had to “immediately stop the analysis to halt any further corruption of his computer.” … It suggests that the agent connected the drive to the same computer used for official Secret Service work.
The Stuxnet worm is the best known example of malware that was able to jump from a thumb drive to a computer. … A Secret Service official [said] that the agency has strict policies over what devices can be connected to computers. … The agent didn’t know why Ivanovich testified that the analysis was quickly halted when the connected computer became corrupted.
Expect more scrutiny of … the lax policies that led to the breach to continue, possibly for months to come.
Understatement of the century? Zack Whittaker—“No one, not even the Secret Service, should randomly plug in a strange USB stick”:
A Chinese national, Yujing Zhang, who is accused of trying to sneak into President Trump’s private Florida resort … sparked new concerns about the president’s security amid concerns that foreign governments have tried to infiltrate the resort. Allegations aside … what sent alarm bells ringing was how the Secret Service handled the USB drive, which … was not good.
USB keys are a surprisingly easy and effective way to install malware. … As soon as the drive plugs in, it can install malware that can remotely surveil and control the affected device — and spread throughout a network.
A Secret Service spokesperson said the device was “standalone,” but wouldn’t be pressed on details. It remains unknown why the agent “immediately” pulled out the drive in a panic.
So what’s going on here? Jake Williams—@MalwareJake—was among the first infosec people to spot it:
As a taxpayer, I’m very concerned about where Agent Ivanovich’s laptop is and where it’s been since he plugged a malicious USB into it. If this was the Secret Service quick reaction playbook [maybe] Zhang planned to be caught all along (another possible explanation for her sloppy tradecraft).
If it was an airgapped computer, why did he remove the USB to “halt any further corruption of his computer?” Remember, he testified under oath here.
Honestly, I’d be happier to learn that he was licking drugs before he inserted the USB. At least that’s an affirmative defense.
I read this as a canned “quick, cover this up” statement. One of three things happened:
1. The agent who testified perjured himself with an intentional mischaracterization of events,
2. The agent understands so little he shouldn’t be testifying,
3. It went down just like he said.
As someone who deeply values our constitutional protections, [#2] is actually the least desirable option.
The context is that the Secret Service has never needed to deal with balancing security and commercial interests (e.g. Mar-a-lago) before. They face the wrath of the president if they harass guests. I can totally see someone “just getting it done” to avoid that.
And what about the purity of evidence? @chalin scoffs at agent Samuel Ivanovich’s testimony:
[He] describes the USB as “malicious malware.” Um, redundant much?
[He] says he’s never seen “a file immediately begin to install itself.” There’s only a whole genre of viruses called “self-executing.”
This guy is capital D – Duh. [But] it’s actually an elite, highly selective law enforcement branch. Pretty sure they recruit from the same pool as the FBI (so you have to be both smart & fit).
They may have also F’d up chain of custody on the USB by “activating” it w/out first doing a digital inventory/analysis.
And ColdWetDog thinks it’s “perfectly weird”:
What do they do with hand grenades? Pull the pin to see what happens?
But Jeff Martin—thinks we should cut him some slack:
Let’s not rush to judgement without the details. It is possible that the official system is too annoying and cumbersome so agents use a throwaway device for quick analysis, possibly without the knowledge of higher ups.
They may be quite aware of the dangers but find that doing it this way saves a lot of time dealing with false positives instead of treating every device like plutonium from the start.
And Phill Hallam-Baker refers to the non-PC name of the Telephone game:
I rather suspect that we have Chinese whispers here.
I have worked with the Secret Service, they do stuff by the book. So I am 99% certain that the USB drive was put into an evidence bag on site. … An agent is not going to open a tamper-proof evidence bag and put the drive into their personal laptop. That makes no sense.
So it is going to be plugged into a machine dedicated to forensics. … That machine should have a trigger built in to detect attempts to erase whatever is on the USB stick.
So basically the report sounds to me like the Secret Service did exactly what they are supposed to and the USB stick caused the virtual machine to halt as it is supposed to before it could corrupt the evidence. Which is exactly what you would want.
That would spread as rumor among agents without forensic expertise who interpolated.
By the book? David Lawrence—dwl-sdca—thinks more about it:
The more I think about this the more I wonder if this is something akin to misinformation.
I’ve been on … committees with Secret Service agents. They were anything but inept.
They were among the most stoic, rigid, by-the-book, follow-the-rules type people I’ve ever encountered.
Wait. Pause. How is a USB stick auto-running in 2019? LunarSeer shoots for the moon:
The way USB devices (and peripherals generally) work is that they have embedded controllers with instructions and writeable memory on them. This means that although visually on the outside it looks like a dumb USB drive, you have no idea what it will do once plugged in.
Thus if you need to investigate a fishy USB drive, you need an isolated machine that you can use. Or, if you aren’t doing an investigation, don’t attach USB drives unless you trust the source (straight from the manufacturer).
Meanwhile, Brian Krebs cycles us back around to the start: [You’re fired—Ed.]
Pretty sure this is not what they meant when they said “taking a bullet for the president.” This is infosec training 101, and could have just as easily corrupted the evidence.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE.