Tuesday, April 9, 2019

The Story of the Chinese Woman At Mar-a-Lago Takes a Nasty Turn

The story of the Chinese woman who was apprehended at Mar-a-Lago with, shall we say, suspicious items in her possession took a turn for the more sinister Monday.  Ars Technica brings a detail I've seen nowhere else.  First, some necessary background info for those not fully familiar with the story.
The already suspicious account of a Chinese national who allegedly carried four cellphones, a thumb drive containing malware, and other electronics as she breached security at President Trump's private Florida club just grew even more fishy.

The possessions in Zhang's hotel included five SIM cards, nine USB drives, yet another cell phone, and a signal detector that could scan an area for hidden cameras, according to reports widely circulated Monday. In addition to the electronics, Zhang's hotel room also contained more than $8,000, with $7,500 of it in US $100 bills and $663 in Chinese currency, The Miami Herald reported.
Zhang was in court Monday to decide if she gets bail.  The Feds argue that she's a flight risk because she has no ties to the US and (direct quote), "She lies to everyone she encounters."  None of this seem particularly weird.

The first thing that seems weird is that in addition to the "signal detector that could scan an area for hidden cameras" (probably something like the eBay "bug detectors" that receive on frequencies common cameras use) is the sheer volume of hardware she was carrying.  When she was first stopped, she was carrying two Chinese passports, four cellphones, a laptop computer, an external hard drive, and a thumb drive.  Back at the hotel where she was staying they found a fifth cellphone, five SIM cards, and nine more thumb drives.  $7500 in $100 bills and another $663 in Chinese currency seems like expense money.  The thing that stands out as really unusual is the particularly nasty malware on that thumb drive they grabbed a Mar-a-Lago.  According to Ars, quoting the transcript from the hearing:
Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang's thumb-drive into his computer, it immediately began to install files, a "very out-of-the-ordinary" event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.
I'm nowhere near expert on tradecraft and I couldn't tell you if this seems like she's a Chinese agent, a freelancer, or working for a domestic Democratic candidate.   It does seem like this is a bit more than casual.  A noteworthy exchange during the bond hearing went like this
Adler, Zhang’s attorney, pushed back during the hearing on the idea that she was a spy.

“She did not have the type of devices that can be associated with espionage activities,” he said.

Garcia, the prosecutor, replied that “there is no allegation [in the criminal complaint] she was involved in espionage ...”
Adler's line is stupid.  A pencil can be "associated with espionage activities".  Garcia saying, "we never said she was a spy" is also stupid.  Especially because he also said he wouldn't rule out charging her with that later, or "more serious charges."

This is the very beginning of the beginning; think page 2 of a 400 page novel.  I wanted to believe that agent Ivanovich's partner, the one who plugged the USB stick into a laptop, wasn't using just a regular agency laptop, but rather one that was air gapped to any other SS machine, and was to be used for this purpose.  However, he specifically said, "... had to immediately stop the analysis to halt any further corruption of his computer" and that quote doesn't go together with using a special computer designed for forensic examinations.

I'd like to think the Secret Service is not so dumb they're going to plug a piece of irreplaceable evidence that could contain anything into a plain agency laptop, but it seems like they did.  Jake Williams, a former hacker for the National Security Agency who is now a cofounder of Rendition Infosec, said on Twitter,  "As a taxpayer, I'm very concerned about where Agent Ivanovich's laptop is and where it's been since he plugged a malicious USB into it. If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking)."
A Secret Service official speaking on background told Ars that the agency has strict policies over what devices can be connected to computers inside its network and that all of those policies were followed in the analysis of the malware carried by Zhang.

"No outside devices, hard drives, thumbdrives, et cetera would ever be plugged into, or could ever be plugged into, a secret service network," the official said. Instead, devices being analyzed are connected exclusively to forensic computers that are segregated from the agency network. Referring to the thumb drive confiscated from Zhang, the official said: "The agent didn’t pick it up and stick it into a Secret Service network computer to see what was on it." The agent didn't know why Ivanovich testified that the analysis was quickly halted when the connected computer became corrupted.
I've never seen a word about any computers being compromised at Mar-a-Lago, although I seriously doubt they would tell us.   Oh, and "they say" that the head of the Secret Service, Randolph ‘Tex’ Alles, stepping down has nothing to do with this. 

Again, it's very early in the story.  Everything we think we know is probably wrong.

Mar-a-Lago, White House Photo


  1. Yes, more than likely a Democrat Party contractor.

  2. There's a reason Trump fired the SS director. Now I see why.

  3. I sure hope that the USB drive was plugged into a forensics computer, but doubt that it was. Why would you suddenly turn it off?

    The Secret Service used to have a decent computer forensics unit, but this was 30 years ago.

  4. It is truly scary how utterly ignorant the vast majority of people are regarding basic cyber security. If everyone followed just three rules, 1. Use strong unique passwords. 2. Don't open email attachments/ click on blind links. 3. Never plug a USB drive or insert ANY CD into a PC unless you are 100% certain it is safe. Following these three rules would prevent probably 95% of ALL hacking, malware, ransomware and virus problems.

  5. Referring to the thumb drive confiscated from Zhang, the official said: "The agent didn’t pick it up and stick it into a Secret Service network computer to see what was on it." The agent didn't know why Ivanovich testified that the analysis was quickly halted when the connected computer became corrupted.

    Who are going to believe, me or your lying eyes?

    1. This might be one of those "depends on what the definition of 'is' is" things. Maybe if it wasn't actually connected to the SS network with an Ethernet cable (or WiFi) he can say that. He didn't say it wasn't a Secret Service computer. He said the guy "didn't stick it in a Secret Service network computer.

      You know how lawyers are.

  6. If it was Chinese government-grade spyware, it's already loose. It would have executed code to jump out through the wifi before it started actually transferring files.

    Wir sind umgeben von Idioten

  7. On hacking and computer security, a good friend of mine works in the I.S. department of a small city in California. They had a seminar about computer security for everyone whose fingers touched a keyboard at work, and three days later simulated a security breach - a link in some email from an unknown source. One-third of the people clicked the link, and out of those one-quarter filled out their personal information as directed, including SS number. The biggest offenders? Cops. Right after that came the fire department.

  8. Simple case of wrong address. Was looking for "Wasserman-Schultz residence."

  9. I think this is one of those walks like a duck, quacks like a duck situations.

    I worked for a company doing contract work for a large industrial company that was selling major projects in China. At our orientation we were told by the security folks that our customer had a meeting in their headquarters with numerous Chinese personnel for a presentation on the progress of the projects. The Chinese asked for and received permission to download the presentation on to a USB drive. A day later the IT folks got a call from the FBI asking why they were sending a large amount of data to China. The IT guys said the weren't, the FBI said that since the meeting the company had been transmitting data non-stop to China. Turned out the USB drives had installed malware that was copying and downloading the contents of the entire corporate network to China. This was in the early 2000s.