[BreachExchange] Lake Worth ‘zombie alert’ hacker used a city email to breach system

[Destry Winant]

https://www.mypalmbeachpost.com/news/lake-worth-zombie-alert-hacker-used-city-email-breach-system/DV1ugfLLxTuOOkMpckgfOJ/

To atone for their infamous zombie alert heard ‘round the world, city
officials are issuing a new one. And this time it’s for real.

In what they hope will be an amusing spectacle of self-parody,
electric utility crews will park a bucket truck inside a makeshift
zombie quarantine zone at the downtown Cultural Plaza on Oct. 26 for
the city’s annual Halloween party for kids.

“It’s just our way of poking fun at ourselves,” said city spokesman
Ben Kerr, referring to the May 20 power outage that the city’s hacked
notification system blamed on “extreme zombie activity,” inspiring
jokes on late-night television and headlines from as far away as
Australia.

The hoax also attracted dead-serious inquiries from the FBI and
Federal Communications Commission about how the system was hacked.
Nearly five months later, exactly who was responsible remains a
mystery.

But one cybersecurity expert has a pretty good idea about what
probably happened: A computer-savvy male in his teens or 20s pulled
off what is known as a “notoriety hack” aimed not at doing any harm
but at securing laughs and bragging rights among hackers.

“My guess is there is some smart teen in your neck of the woods who is
having a heyday claiming credit for this among the hacking community
on the dark web,” said James Norrie, dean of the Graham School of
Business at York College of Pennsylvania.

“The unfortunate part is that this exposes a weakness in your
utility,” he added. “The mere fact that someone could get into the
system is a wake-up call. What if you had a real pro that really
wanted to do some damage?”

Earlier this week, the city was dealing with another “potential
breach” related to its utility system. On Tuesday, the city warned
utility customers who pay their bills online that their credit card
information might have been breached over the past six weeks.

The vendor who manages the city’s online transactions is investigating
and “steps have been taken to neutralize any further potential breach
through the vendor’s system,” the city said.

Whoever created the zombie alert “used a city email” address to gain
access to the notification alert system, Darrell Lopez, chief
executive officer for Public Telephone Company of America, told The
Palm Beach Post. Lopez’s Orlando-based company designed and built the
city’s Power Tracker system in 2014.

Asked how he was so certain that the hacker had a Lake Worth city
government email address, Lopez told a Palm Beach Post reporter last
week before hanging up: “Because we traced it, and that’s all I’m
saying.”

That was news to Lake Worth utility officials, who wondered why Lopez
never shared that conclusion with them. In May, just two days after
the “zombie alert” went out, Kerr told media outlets that “no staff
member was found to be involved and no one has been fired for it.”

But even if the hacker had a city email address, that doesn’t
necessarily mean a city employee is responsible.

It’s possible that someone gained access through a “phishing attack,”
an email aimed at tricking someone — in this case a Lake Worth city
employee — into believing the message is something they need, such as
request from a bank or a colleague, said Dr. Steven Andres, who
teaches management information systems at San Diego State University.

“It could also be a disgruntled employee,’’ Andres said. “It’s hard to tell.’’

Norrie said, “It’s very likely to be somebody who has an insider’s
access or someone who corrupted an insider.”

The zombie alert actually was sent out in two separate outages, during
Hurricane Irma in September 2017 and on May 20, but city officials
erased the first one before it was viewed by the public.

PTC charges the city $2,000 a month for the Outage Notification
System, which includes automatic messages and emails and voice
recordings that offer explanations and updates when the power goes
out.

Also referred to as the Lake Worth Power Tracker, the system is not
connected to the city’s power grid.

The hack only affected a handful of pre-written messages that appeared
on the system’s online overlap map of the city, which has nearly 900
different sections or “layers.”

The messages are written by Lake Worth electric utility employees, but
they also can be accessed and edited by PTC employees, said Jason
Bailey, assistant director of system operations for the electric
utility.

Inspired by ‘Walking Dead’

When the power goes out, the map highlights the affected areas with
small red boxes. By clicking on one of the boxes, customers can read
brief pop-up messages with explanations and updates.

When the system works as it should, a map message might look like
this: “POWER OUTAGE 200 AND 300 BLOCK OF FORDHAM AND DARTMOUTH DRIVE
AND THE 2200 BLOCK OF NORTH FEDERAL HIGHWAY 34 CUSTOMERS AFFECTED
RESTORATION TIME 3 HOURS.”

On Sept. 9, 2017, as Hurricane Irma made landfall in South Florida,
Kerr was monitoring the scattered power outages on electronic maps in
the city’s Emergency Operations Center when he noticed this message:

“POWER OUTAGE AND ZOMBIE ALERT FOR RESIDENTS OF LAKE WORTH AND
TERMINUS. THERE ARE NOW FAR LESS THAN SEVEN THOUSAND THREE HUNDRED AND
EIGHTY CUSTOMERS INVOLVED DUE TO EXTREME ZOMBIE ACTIVITY. …”

Staring at the message, Kerr wondered if he was hallucinating from
exhaustion. He alerted electric utility officials a few miles away.

“I looked at it and I’m like, ‘holy crap!’ – the exact words that came
out of my mouth,” recalled Walt Gill, assistant electric utility
director.

The fake alert provided a clue about the person who wrote it: That
person most likely watches The Walking Dead, an AMC hit show about a
zombie apocalypse. “Terminus” is a fictional town featured in the
show’s fourth season, which premiered in 2013 and concluded on March
30, 2014, around the same time PTC installed the city’s system.

City workers promptly erased the fake message, which apparently went
unnoticed by the public. (With Irma’s outer bands raging, customers
likely didn’t need to consult the Power Tracker map for an explanation
of why the power went out.)

As a precaution, PTC changed the web address and the user account
passwords on Sept. 10, 2017. And city officials, not knowing if the
zombie alert was the work of a mischievous kid or someone with more
sinister motives, alerted the FBI.

After power was restored in the days after the hurricane, PTC
technicians worked with Bailey’s staff to review nearly 3,000
pre-written messages in the system to make sure they had killed off
any other “zombie alerts.”

“They thought they had captured every single one,” Gill said.

But eight months later, it happened again. And this time, during a
37-minute outage that affected 7,880 customers at 1:45 a.m. on May 20,
the public saw it.

“Normally during a power outage, they’re not happy. But this was
different,” Kerr recalled.

In an email thread among utility workers trying to troubleshoot the
hoax, Kerr wrote on May 21: “I should let you know that the public
absolutely loved it. It is the most positive response to an outage I
have ever seen. In one resident’s words, ‘If this guy gets fired, we
MUST rebel! This person deserves a medal!’…”

Emails and calls started pouring in from media outlets, which produced
headlines like “Zombie alerts issued in Lake Worth” and “More power to
zombies.”

Kerr, who spent the next two days talking to amused reporters, said he
sensed enthusiasm about the gaffe and tried not to “come across as too
serious” in his comments.

“Staff has scrubbed the system of all these messages, and we should
not have any more zombie alerts going out, at least until the actual
zombie invasion,” he told a local TV station.

Zombie alert ‘was embarrassing’

The errant alert wound up in Jimmy Fallon’s monologue on The Tonight
Show and blossomed into a source of friendly ribbing in emails to city
employees.

“I hope all is well and you are not too busy fighting zombies,” an
architect wrote to Assistant City Manager Juan Ruiz.

“If you need any help, me and Mark have watched a lot of Walking Dead
and wouldn’t mind testing out our zombie skills,” a subcontractor
wrote to utility worker Michael Jenkins.

“How do I mark myself safe after a disaster? Family and friends have
been reaching out after the zombie attack,” one resident asked on
Facebook.

Not everyone was amused, especially longtime residents who for decades
have endured problems from the city’s aging power grid, including
sporadic blackouts during calm weather.

“This zombie attack message made national news and was embarrassing as
a resident. It shows how the city of Lake Worth does not treat its
services seriously and does not care about its customers,” Joseph
Yanni wrote in an email to a city official.

The fake zombie alert wasn’t the only strange occurrence with the
city’s utility this year. In April, a transformer at the main
substation exploded without warning, causing a citywide blackout and
prompting an investigation that is still open into whether someone
fired a weapon at the device.

But the majority of zombie reaction was light and fun, inspiring
breathless suggestions for 5K zombie runs, zombie pub crawls, “I
survived the Lake Worth zombie alert” T shirts and billboards pitching
Lake Worth as friendly to zombies.

When Kerr flew to his native Scotland later that week to get married,
he arrived in Glasgow to friendly ribbings from wedding guests who had
read his name in news outlets in the United Kingdom.

When he returned to Lake Worth in early June, “My phone was so full it
couldn’t take any more messages. My email server took forever to start
up,” he said.

Some of the voice messages were left by agents from the FBI and FCC.

“When we hear about zombie alerts, we need to do some follow-up
because the Emergency Alert System has been hacked a couple of times,”
said Greg Cooke of the FCC’s Public Safety and Homeland Security
bureau.

‘A wonderfully innocent warning’

In February 2013, people in California, Michigan, Montana and New
Mexico heard warnings about attacking zombies on TV stations because
of an EAS hack.

“Local authorities in your area have reported the bodies of the dead
are rising from their graves and attacking the living,” an ominous
voice warned in a message heard during a Michigan station’s airing of
an episode of the children’s show “Barney and Friends.”

The Lake Worth hack didn’t affect the federal alert system, so the FCC
and FBI never launched full investigations.

With help from PTC, electric utility workers found five zombie alerts
in the city’s Power Tracker system. They also determined that the five
alerts, which have been erased, had most likely been in the system
when the first zombie alert was discovered in September 2017.

The zombie furor eventually died down, but Kerr recalled an appearance
he made this summer at a neighborhood meeting to offer updates about
city projects. He mentioned the fake zombie alert.

“There were two teenagers, like 16-year-old kids, in the audience. I
thought they were there with their parents,” he recalled. When Kerr
left, he found the kids “waiting outside my car. They were real shy
but they asked to get a selfie with me because of the zombie thing,”
he said with a laugh.

When a reporter told Norrie about Kerr’s encounter with the two teens,
the cybersecurity expert laughed and wondered if they were the zombie
hackers seeking a trophy.

With Halloween approaching, city officials figured they might as well
have fun with zombies — and poke fun at themselves at the annual
Halloween party. Mayor Pam Triolo got into the spirit and has asked
city staff to convert a photograph of herself into a zombie as part of
the party decorations.

“I told our staff they could invite the walking dead to be honorary
guests. I’d even give them the key to the city,” she said, adding, “We
like to make lemonade out of our lemons.”

While the two cybersecurity experts agreed the zombie episode was
amusing, they said Lake Worth officials would be wise to take a hard
look at making sure they’re doing everything they can to prevent a
potentially more serious attack.

If not, “then maybe the real zombies are at City Hall,” Norrie said.

“This was a wonderfully innocent warning. Now the only question is:
What do you do to learn from this?”