Like something out of a James Bond movie, or maybe Johnny English, she carried two passports, four cell phones, a laptop, an external hard drive and a thumb drive while trespassing at an exclusive club, one owned and visited by President Trump regularly. The women, Yujing Zhang, told security that she was going for a swim when she arrived at Mar-a-Lago in South Florida, but when the security officer checked the guest list they didn’t find her name. She pretended that she didn’t know English even though she did. The security officer, thinking she was related to a guest, let her through.
When she arrived at the reception desk her story changed. Zhang told the receptionist that she was there for an event. But no such event was scheduled. The receptionist also reviewed the guest list and again found Zhang was not on the list. The receptionist explained the situation to Zhang and told her she must leave, after which the receptionist called Secret Service.
When questioned by the Secret Service agent, Zhang produced a flyer about the event but since this event didn’t exist, the agent told her again she couldn’t be there. Agents reviewed her thumb driver and found malware, but not before infecting their own laptop!
This ongoing case provides a good example of what to do and what not to do when it comes to security. As a computer security analyst with former training in perimeter security through the US military, I reviewed this story and found both good and bad security practices. First, perimeter security failed miserably. Zhang was not on the guest list and the security officer presumed her relation to a guest. They allowed her access even though she gave no clear reason why she should get access. Zhang used her nationality to confuse the security officer, pretending she didn’t know English. Using clean questions and repeating them until you get a good response prevents assumptions. If you don’t get a clear response, then that person should never be given access. The receptionist and the Secret Service agents inside asked clear and repeated questions. They were able to prevent further access for her.
While she obviously presented a physical risk she also presented a cyber risk with the electronics she carried. While some business men or women have multiple cell phones, most people don’t have four. Certainly not if they intend to just go swimming. If her plan was to leave the thumb drive near a meeting room, someone with more security clearance could have picked it up and plugged it into their laptop out of curiosity, possibly comprising the laptop. If she left the phones behind then any calls made on them might be recorded. Compromised thumb drives, called a “Rubber Ducky” after the Hack5 product, are a common tool in a hacker’s arsenal. Attackers leave these devices in the area on purpose for the victim to find plug into their computer.
We can take lessons from this story. Only allow physical access to an area if they meet the right conditions, without exceptions. If this rule was followed then Zhang, the trespasser, wouldn’t have made it through the first checkpoint. Additionally, if you ever come across a device, not just a USB drive, you should never plug it into your computer without first checking the contents of the drive with a virus scan in a safe environment. Even better, separate the test computer from the network. With proper training our own environments will be better safeguarded then Mar-a-Lago.