Arrest at Mar-a-Lago spotlights simple but pervasive threat of thumb drives

The arrest of a Chinese citizen carrying a malware-infected thumb drive at Mar-a-Lago is a reminder that digital threats don’t always arrive via email or complex hacks. Sometimes they’re hand delivered. When Yujing Zhang was arrested at President Trump’s Florida resort Saturday, she was carrying four cellphones, a laptop, an external hard drive and the thumb drive, which “a preliminary forensic investigation” determined contained malicious software, according to the criminal complaint filed in a federal court Monday. It's unclear so far why Zhang, who my colleague Devlin Barrett and David Fahrenthold reported was charged with making false statements and entering a restricted area, was at the resort or what she planned to do with the thumb drive. But her suspicious cargo serves as a reminder that sometimes even simple tricks can be incredibly effective at stealing information or disrupting data. It also underscores the complexities of providing cybersecurity for a president who loves to visit his other properties. Thumb drives remain a popular method for digital attacks because they get around common computer defenses that are more likely to trust something a person inserts directly into the computer. While secure sites such as the White House are likely well-protected against thumb drive attacks, Mar-a-Lago has to balance security with the convenience of a lot of guests who aren’t the president of the United States, notes Mark Rasch, a former federal computer crimes prosecutor. “You’re only as secure as your weakest link,” Rasch told me. Malware-infected thumb drives, or USB sticks, have done a lot of damage to the U.S. government before. The worst digital attack against the Defense Department in history, code-named Buckshot Yankee, began with an infected thumb drive that somehow connected to a classified network and began sending data back to the group that installed the malware — possibly Russian intelligence agencies — as the Post reported back in 2011. Those classified systems were air gapped — meaning there were no connections between them and the outside Internet. So, an email or Internet link carrying malware couldn’t reach them, but an infected thumb drive plugged directly into the network could. That 2008 operation was fundamental to the Pentagon’s decision to launch U.S. Cyber Command in 2010, the command’s first chief Keith Alexander has said. It also led the Pentagon to ban flash drives and other “removable media” from its computers, though the policy has many exceptions. A thumb drive may also have been the delivery method for the Stuxnet worm, which the United States and Israel allegedly developed to slow Iran’s efforts to develop nuclear weapons. Since the Buckshot Yankee era, thumb drives have become such a common method for spreading malware that digital investigators have given the tactic a name, Rasch said. They call it a “lollipop drop” when intelligence agents or criminals leave infected thumb drives in an organization’s parking lot — hoping people who work there will pick them up and plug them into computers, Rasch said. Intelligence agencies have also been suspected of arranging for the thumb drives to be given away at conferences, Rasch said. As of 2011, the tactic was quite effective. That year, the Homeland Security Department tested government employees by leaving flash drives in parking lots, according to a Bloomberg News report. The results: About 60 percent of the devices were plugged into computers, and that rose to 90 percent if the devices had an official government logo on them. Malware-infected thumb drives are so common, in fact, that someone who’s caught with one is as likely to be a victim of hacking as a perpetrator, cautioned Rasch, who teaches courses on computer crime at George Washington University. The fact that Zhang was also carrying six other electronic devices raises suspicions, however, he noted. (The complaint does not provide details about the malware on the thumb drive or say whether Zhang’s other electronic devices were scanned for malware.) And stories about the president discussing classified information in public spaces at Mar-a-Lago — such as in 2017 when he discussed a North Korean missile test with Japanese Prime Minister Shinzo Abe on the resort’s terrace — would give an adversary’s intelligence service plenty of incentive to try to infect computer networks at the resort with surveillance bugs, Rasch said. “If I’m a foreign government and wanting to obtain information, I’m going to look at every possibility for an exploit,” he said. Trump was at Mar-a-Lago this weekend, but there’s no evidence Zhang was ever near him. Laurence Leamer, a Palm Beach writer who recently wrote a book about Mar-a-Lago, told my colleagues Devlin and David that a person who got past the receptionist desk, as Zhang did, would not be able to enter Trump’s private quarters, but could probably walk past the door to it. “You can go anywhere...There’s no checkpoints once you’re in there," he said. The Secret Service said in a statement that "Mar-a-Lago Club’s management determines which members and guests are granted access to the property" -- not the Secret Service. "This access does not afford an individual proximity to the President or other Secret Service protectees."