Lake Worth ‘zom­bie’ en­tered in city email

Hacker’s power-out­age prank raises cy­ber­se­cu­rity alarms.

The Palm Beach Post - - FRONT PAGE - By Joe Capozzi Palm Beach Post Staff Writer

LAKE WORTH — To atone for their in­fa­mous zom­bie alert heard ’round the world, city of­fi­cials are is­su­ing a new one. And this time it’s for real.

In what they hope will be an amus­ing spec­ta­cle of self-par­ody, elec­tric util­ity crews will park a bucket truck in­side a makeshift zom­bie quar­an­tine zone at the down­town Cul­tural Plaza on Oct. 26 for the city’s an­nual Hal­loween party for kids.

“It’s just our way of pok­ing fun at our­selves,” said city spokesman Ben Kerr, re­fer­ring to the May 20 power out­age that the city’s hacked no­ti­fi­ca­tion sys­tem blamed on “ex­treme zom­bie ac­tiv­ity,” in­spir­ing jokes on late-night tele­vi­sion and head­lines from as far away as Aus­tralia.

The hoax also at­tracted dead-se­ri­ous in­quiries from the FBI and Fed­eral Com­mu­ni­ca­tions Com­mis­sion about how the sys­tem was hacked. Nearly five months later, ex­actly who was re­spon­si­ble re­mains a mys­tery.

But one cy­ber­se­cu­rity ex­pert has a pretty good idea about what prob­a­bly hap­pened: A com­puter-savvy male in his teens or 20s pulled off what is known as a “no­to­ri­ety hack” aimed not at do­ing any harm but at se­cur­ing laughs and brag­ging rights among hack­ers.

“My guess is there is some smart teen in your neck of the woods who is hav­ing a hey­day claim­ing credit for this among the hack­ing com­mu­nity on the dark web,” said James Nor­rie, dean of the Gra­ham School of Busi­ness at York Col­lege of Penn­syl­va­nia.

“The un­for­tu­nate part is that this ex­poses a weak­ness in your util­ity,” he added. “The mere fact that some­one could get into the sys­tem is a wake-up call. What if you had a real pro that re­ally wanted to do some dam­age?”

Ear­lier this week, the city was deal­ing with an­other “po­ten­tial breach” re­lated to its util­ity sys­tem. On Tues­day, the city warned util­ity cus­tomers who pay their bills on­line that their credit card in­for­ma­tion might have been breached over the past six weeks.

The ven­dor who man­ages the city’s on­line trans­ac­tions is in­ves­ti­gat­ing and “steps have been taken to neu­tral­ize any fur­ther po­ten­tial breach through the ven­dor’s sys­tem,” the city said.

Who­ever cre­ated the zom­bie alert “used a city email” ad­dress to gain ac­cess to the no­ti­fi­ca­tion alert sys­tem, Dar­rell Lopez, chief ex­ec­u­tive officer for Pub­lic Tele­phone Com­pany of Amer­ica, told The Palm Beach Post. Lopez’s Or­lando-based com­pany de­signed and built the city’s Power Tracker sys­tem in 2014.

Asked how he was so cer­tain that the hacker had a Lake Worth city gov­ern­ment email ad­dress, Lopez told a Palm Beach Post re­porter last week be­fore hang­ing up: “Be­cause we traced it, and that’s all I’m say­ing.”

That was news to Lake Worth util­ity of­fi­cials, who won­dered why Lopez never shared that con­clu­sion with them. In May, just two days af­ter the “zom­bie alert” went out, Kerr told me­dia out­lets that “no staff mem­ber was found to be in­volved and no one has been fired for it.”

But even if the hacker had a city email ad­dress, that doesn’t nec­es­sar­ily mean a city em­ployee is re­spon­si­ble.

It’s pos­si­ble that some­one gained ac­cess through a “phish­ing at­tack,” an email aimed at trick­ing some­one — in this case a Lake Worth city em­ployee — into be­liev­ing the mes­sage is some­thing they need, such as re­quest from a bank or a col­league, said Dr. Steven An­dres, who teaches man­age­ment in­for­ma­tion sys­tems at San Diego State Uni­ver­sity.

“It could also be a dis­grun­tled em­ployee,” An­dres said. “It’s hard to tell.”

Nor­rie said, “It’s very likely to be some­body who has an in­sider’s ac­cess or some­one who cor­rupted an in­sider.”

The zom­bie alert ac­tu­ally was sent out in two sep­a­rate out­ages, dur­ing Hur­ri­cane Irma in Septem­ber 2017 and on May 20, but city of­fi­cials erased the first one be­fore it was viewed by the pub­lic.

PTC charges the city $2,000 a month for the Out­age No­ti­fi­ca­tion Sys­tem, which in­cludes au­to­matic mes­sages and emails and voice record­ings that of­fer ex­pla­na­tions and up­dates when the power goes out.

Also re­ferred to as the Lake Worth Power Tracker, the sys­tem is not con­nected to the city’s power grid.

The hack only af­fected a hand­ful of pre-writ­ten mes­sages that ap­peared on the sys­tem’s on­line over­lap map of the city, which has nearly 900 dif­fer­ent sec­tions or “lay­ers.”

The mes­sages are writ­ten by Lake Worth elec­tric util­ity em­ploy­ees, but they also can be ac­cessed and edited by PTC em­ploy­ees, said Jason Bai­ley, as­sis­tant di­rec­tor of sys­tem op­er­a­tions for the elec­tric util­ity.

‘Walk­ing Dead’ link

When the power goes out, the map high­lights the af­fected ar­eas with small red boxes. By click­ing on one of the boxes, cus­tomers can read brief pop-up mes­sages with ex­pla­na­tions and up­dates.

When the sys­tem works as it should, a map mes­sage might look like this: “POWER OUT­AGE 200 AND 300 BLOCK OF FORD­HAM AND DART­MOUTH DRIVE AND THE 2200 BLOCK OF NORTH FED­ERAL HIGH­WAY 34 CUS­TOMERS AF­FECTED RESTORA­TION TIME 3 HOURS.”

On Sept. 9, 2017, as Hur­ri­cane Irma made land­fall in South Florida, Kerr was mon­i­tor­ing the scat­tered power out­ages on elec­tronic maps in the city’s Emer­gency Op­er­a­tions Cen­ter when he no­ticed this mes­sage:

“POWER OUT­AGE AND ZOM­BIE ALERT FOR RES­I­DENTS OF LAKE WORTH AND TER­MI­NUS. THERE ARE NOW FAR LESS THAN SEVEN THOU­SAND THREE HUN­DRED AND EIGHTY CUS­TOMERS IN­VOLVED DUE TO EX­TREME ZOM­BIE AC­TIV­ITY. ...”

Star­ing at the mes­sage, Kerr won­dered if he was hal­lu­ci­nat­ing from ex­haus­tion. He alerted elec­tric util­ity of­fi­cials a few miles away.

“I looked at it and I’m like, ‘holy crap!’ – the ex­act words that came out of my mouth,” re­called Walt Gill, as­sis­tant elec­tric util­ity di­rec­tor.

The fake alert pro­vided a clue about the per­son who wrote it: That per­son most likely watches “The Walk­ing Dead,” an AMC hit show about a zom­bie apoca­lypse. “Ter­mi­nus” is a fic­tional town fea­tured in the show’s fourth sea­son, which pre­miered in 2013 and con­cluded on March 30, 2014, around the same time PTC in­stalled the city’s sys­tem.

City work­ers promptly erased the fake mes­sage, which ap­par­ently went un­no­ticed by the pub­lic. (With Irma’s outer bands rag­ing, cus­tomers likely didn’t need to con­sult the Power Tracker map for an ex­pla­na­tion of why the power went out.)

As a pre­cau­tion, PTC changed the web ad­dress and the user ac­count pass­words on Sept. 10, 2017.

And city of­fi­cials, not know­ing if the zom­bie alert was the work of a mis­chievous kid or some­one with more sin­is­ter mo­tives, alerted the FBI.

Af­ter power was re­stored in the days af­ter the hur­ri­cane, PTC tech­ni­cians worked with Bai­ley’s staff to re­view nearly 3,000 pre-writ­ten mes­sages in the sys­tem to make sure they had killed off any other “zom­bie alerts.”

“They thought they had cap­tured every sin­gle one,” Gill said.

But eight months later, it hap­pened again. And this time, dur­ing a 37-minute out­age that af­fected 7,880 cus­tomers at 1:45 a.m. on May 20, the pub­lic saw it.

“Nor­mally dur­ing a power out­age, they’re not happy. But this was dif­fer­ent,” Kerr re­called.

In an email thread among util­ity work­ers try­ing to trou­bleshoot the hoax, Kerr wrote on May 21: “I should let you know that the pub­lic ab­so­lutely loved it. It is the most pos­i­tive re­sponse to an out­age I have ever seen. In one res­i­dent’s words, ‘If this guy gets fired, we MUST rebel! This per­son de­serves a medal!’...”

Emails and calls started pour­ing in from me­dia out­lets, which pro­duced head­lines like “Zom­bie alerts issued in Lake Worth” and “More power to zom­bies.”

Kerr, who spent the next two days talk­ing to amused re­porters, said he sensed en­thu­si­asm about the gaffe and tried not to “come across as too se­ri­ous” in his com­ments.

“Staff has scrubbed the sys­tem of all these mes­sages, and we should not have any more zom­bie alerts go­ing out, at least until the ac­tual zom­bie in­va­sion,” he told a lo­cal TV sta­tion.

Jokes — and gripes

The er­rant alert wound up in Jimmy Fal­lon’s mono­logue on “The Tonight Show” and blos­somed into a source of friendly rib­bing in emails to city em­ploy­ees.

“I hope all is well and you are not too busy fight­ing zom­bies,” an ar­chi­tect wrote to As­sis­tant City Man­ager Juan Ruiz.

“If you need any help, me and Mark have watched a lot of Walk­ing Dead and wouldn’t mind test­ing out our zom­bie skills,” a sub­con­trac­tor wrote to util­ity worker Michael Jenk­ins.

“How do I mark my­self safe af­ter a dis­as­ter? Fam­ily and friends have been reach­ing out af­ter the zom­bie at­tack,” one res­i­dent asked on Face­book.

Not ev­ery­one was amused, es­pe­cially long­time res­i­dents who for decades have en­dured prob­lems from the city’s ag­ing power grid, in­clud­ing spo­radic black­outs dur­ing calm weather.

“This zom­bie at­tack mes­sage made na­tional news and was em­bar­rass­ing as a res­i­dent. It shows how the city of Lake Worth does not treat its ser­vices se­ri­ously and does not care about its cus­tomers,” Joseph Yanni wrote in an email to a city of­fi­cial.

The fake zom­bie alert wasn’t the only strange oc­cur­rence with the city’s util­ity this year. In April, a trans­former at the main sub­sta­tion ex­ploded without warn­ing, caus­ing a city­wide black­out and prompt­ing an in­ves­ti­ga­tion that is still open into whether some­one fired a weapon at the de­vice.

But the ma­jor­ity of zom­bie re­ac­tion was light and fun, in­spir­ing breath­less sug­ges­tions for 5K zom­bie runs, zom­bie pub crawls, “I sur­vived the Lake Worth zom­bie alert” T shirts and bill­boards pitch­ing Lake Worth as friendly to zom­bies.

When Kerr flew to his na­tive Scot­land later that week to get mar­ried, he ar­rived in Glas­gow to jokes from wed­ding guests who had read his name in news out­lets in the United King­dom.

When he re­turned to Lake Worth in early June, “My phone was so full it couldn’t take any more mes­sages. My email server took for­ever to start up,” he said.

Some of the voice mes­sages were left by agents from the FBI and FCC.

“When we hear about zom­bie alerts, we need to do some fol­low-up be­cause the Emer­gency Alert Sys­tem has been hacked a cou­ple of times,” said Greg Cooke of the FCC’s Pub­lic Safety and Home­land Se­cu­rity bureau.

‘In­no­cent warn­ing’

In Fe­bru­ary 2013, peo­ple in Cal­i­for­nia, Michi­gan, Montana and New Mex­ico heard warn­ings about at­tack­ing zom­bies on TV sta­tions be­cause of an EAS hack.

“Lo­cal author­i­ties in your area have re­ported the bod­ies of the dead are rising from their graves and at­tack­ing the liv­ing,” an omi­nous voice warned in a mes­sage heard dur­ing a Michi­gan sta­tion’s air­ing of an episode of the chil­dren’s show “Bar­ney and Friends.”

The Lake Worth hack didn’t af­fect the fed­eral alert sys­tem, so the FCC and FBI never launched full in­ves­ti­ga­tions.

With help from PTC, elec­tric util­ity work­ers found five zom­bie alerts in the city’s Power Tracker sys­tem. They also de­ter­mined that the five alerts, which have been erased, had most likely been in the sys­tem when the first zom­bie alert was dis­cov­ered in Septem­ber 2017.

The zom­bie furor even­tu­ally died down, but Kerr re­called an ap­pear­ance he made this sum­mer at a neigh­bor­hood meet­ing to of­fer up­dates about city projects. He men­tioned the fake zom­bie alert.

“There were two teenagers, like 16-year-old kids, in the au­di­ence. I thought they were there with their par­ents,” he re­called. When Kerr left, he found the kids “wait­ing out­side my car. They were real shy but they asked to get a selfie with me be­cause of the zom­bie thing,” he said with a laugh.

When a re­porter told Nor­rie about Kerr’s en­counter with the two teens, the cy­ber­se­cu­rity ex­pert laughed and won­dered if they were the zom­bie hack­ers seek­ing a tro­phy.

With Hal­loween ap­proach­ing, city of­fi­cials fig­ured they might as well have fun with zom­bies — and poke fun at them­selves at the an­nual Hal­loween party. Mayor Pam Tri­olo got into the spirit and has asked city staff to con­vert a pho­to­graph of her­self into a zom­bie as part of the party dec­o­ra­tions.

“I told our staff they could in­vite the walk­ing dead to be hon­orary guests. I’d even give them the key to the city,” she said, adding, “We like to make lemon­ade out of our lemons.”

While the two cy­ber­se­cu­rity ex­perts agreed the zom­bie episode was amus­ing, they said Lake Worth of­fi­cials would be wise to take a hard look at mak­ing sure they’re do­ing ev­ery­thing they can to pre­vent a po­ten­tially more se­ri­ous at­tack.

If not, “then maybe the real zom­bies are at City Hall,” Nor­rie said.

“This was a won­der­fully in­no­cent warn­ing. Now the only ques­tion is: What do you do to learn from this?”

RICHARD GRAULICH / THE PALM BEACH POST

The sys­tems op­er­a­tions room at Lake Worth’s main power-gen­er­a­tion fa­cil­ity. City of­fi­cials were mon­i­tor­ing maps in this room in Septem­ber 2017 when they no­ticed the first of two “zom­bie alerts” on the Out­age No­ti­fi­ca­tion Sys­tem in the city’s Power Tracker setup.

This “zom­bie alert” went out May 20 to Lake Worth res­i­dents. The hacker was ap­par­ently a fan of AMC’s “The Walk­ing Dead.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.