Techies Snicker at Secret Service Agent’s Mar-a-Lago Malware

Photo Illustration by The Daily Beast/Getty/Reuters/Kevin Lamarque
Photo Illustration by The Daily Beast/Getty/Reuters/Kevin Lamarque

A Secret Service agent investigating Yujing Zhang’s visit to Mar-a-Lago infected one of the agency’s own computers with the malware carried in by the unannounced Chinese national, a move that provoked wide derision Monday from computer security professionals.

“You don’t put an unknown USB into your computer,” said Chris Wysopal, chief technology officer at Veracode. “That’s in all the training everyone gets, even in your dumb corporate training. You even tell your mom that.”

Wysopal’s tweet highlighting the apparent gaffe earned more than 3,000 retweets Monday, as the computer security community executed a collective face-palm. “Whoa! Never seen that USB execution thing before!” quipped Kaspersky researcher Kurt Baumgartner. “Sounds like an agent trying to crack the case before the cyber team got there,” opined Eric O’Neill, a former FBI surveillance specialist.

In a sworn affidavit filed at Zhang’s arrest, the agency said it discovered the “malicious malware” during a “preliminary forensic examination” of the thumb drive. The new details that emerged at a hearing in West Palm Beach sound a lot more like the Secret Service just plugged the USB drive into one of its computers.

The biggest giveaway is that the review was cut short when the examining agent noticed “a file” installing itself on the agent’s machine. “He stated that he had to immediately stop the analysis and shut off his computer to halt the corruption,” testified the Secret Service’s Samuel Ivanovich, according to The New York Times. The thumb drive’s behavior was “very out of the ordinary,” Ivanovich added.

Forensics examiners don’t usually interrupt malware when it’s in the middle of giving itself away, security experts point out. “For all you know, if the thing is doing something, and you pull it out, it might detect that it’s been seen,” said Wysopal. “Forensically it makes no sense.”

“Let it run,” said Michael Borohovski, co-founder of Tinfoil Security and an intelligence-community veteran. Borohovski notes that a professional forensic environment runs within a virtual machine where there’s no concern of infection. “Watch it run. Attach a debugger. Then restore your safe snapshot and do it all over again to your heart’s content.”

The Secret Service didn’t respond to inquiries for this story.

Government agencies have been rightfully leery of USB drives since a Russian virus used them to infiltrate U.S. military networks on a massive scale in 2008. The same technique was also used against Iran in a partially successfully cyberattack on a uranium enrichment facility that was reportedly engineered by the U.S. and Israel.

“USB drives have been involved in many cases involving the loss of sensitive information,” reads a 2010 advisory from the Secret Service’s parent organisation, the Department of Homeland Security. “Their small size and increasingly high storage capacity has been instrumental in the loss of or theft of sensitive information from enterprise networks.”

A former Secret Service cybercrime agent told The Daily Beast that the agents were more likely screening the device to see if it was a fake USB drive concealing something nefarious, the way TSA screeners once made travelers switch on their laptops. When the thumb drive proved real, then turned and attacked, they’d have realized they were in over their heads.

“Most of the basic training that agents get is just around how the internet works and the basics on digital media,” said Levi Gundert, vice president of intelligence and risk at Recorded Future. “Typically the advice is, ‘Look, if you’re in a situation and it’s anything even remotely complex, you need to get an agent who’s trained in digital forensics.’ The agents who do digital forensics, that’s all that they do.”

Yujing Zhang is being held on charges of making false statements to federal agents and entering a restricted area. Reached by the The Daily Beast, the Secret Service had no immediate comment on the malware incident. The agency is still reeling after Trump fired Secret Service Director Randolph “Tex” Alles on Monday as part of a purge of DHS leadership.

Read more at The Daily Beast.

Got a tip? Send it to The Daily Beast here