The Awan Family Scam:  A Triumph of Political Correctness Over Cybersecurity

After being subjected to numerous, damaging cyber attacks, you would think the Democrats would have learned their lesson and become more cybersecurity aware. Unfortunately, this does not seem to be the case. As the scam perpetrated by the Awan family on House Democrats unfolds, it becomes apparent that it succeeded because of poor cybersecurity practices underpinned by a misguided sense of political correctness. In fact, all evidence points to a complete lack of concern about cybersecurity among the Democrats affected by the scam. Not even the most basic precautions were taken.

Before looking into the matter further, it is necessary to look at what is known about this scam.

The Facts

 2004 – Imran Awan, who came to the US from Pakistan as a teenager, starts working as an information technology director on Capitol Hill. He begins working for Florida Democratic Representative, Robert Wexler.

2005 – At Wexler’s recommendation, Debbie Wasserman Schultz hires Imran.

2005 – Imran’s brothers (Abid and Jamal), his wife (Hina Alvi), and Abid’s wife (Natalia Sova), begin working in IT for House Democrats. Each of their salaries averages $160,000 a year.

November, 2009 to September, 2010 – Despite his apparent full time job performing IT duties for House Democrats, Abid opens and runs a car dealership (Cars International) in Falls Church, VA.

cars international

2012 – After amassing debts of over $1 million from his failed car dealership, Abid files for bankruptcy.

2012 – Family friend, Rao Abbas, begins working in IT for House Democrats.

2013 – High school friend, Haseeb Rana, hired to work in IT for House Democrats but quits after 3 months complaining that he was doing all the work.

December, 2016 – Imran’s wife signs home loan documents from an IP address associated with the US House of Representatives

January, 2017 – Imran (posing as his wife) takes out a home loan but, instead of using the money to buy the home, Imran sends this and other money, totaling $283,000, to two people in Pakistan. It was probably this transaction that tipped off authorities.

February, 2017 – News of the investigation into the Imran family is made public. They are accused of stealing equipment from the offices of 20 House members and improperly using the IT network.

March, 2017 – Hina Alvi tries to make a quick escape to Pakistan. She suddenly takes their three children from school and goes to Dulles Airport with $12,400 in cash. She is questioned but allowed to proceed.

July 24, 2017 – Imran arrested at Dulles Airport

July 25, 2017 – Imran fired by Debbie Wasserman-Schultz

The Scam

Basically, Imran found a weakness in the House employment system which allows members to share employees without any member paying these employees a full time salary. Each member would pay separately and the amount paid by each would be small enough to raise no red flags. Besides, few, if any, House members would take the time to investigate how many other House members were also paying these part-time employees. More importantly, it is unlikely that they cared. Imran must have also found weaknesses in the vetting system as he somehow managed to get his entire family and some friends high-paying jobs without raising any suspicions. You would think that Imran’s brother’s criminal record and his apparent need for cash would have disqualified him for working in such a high profile job, but it did not.

Imran’s wife was certainly a ghost employee who never showed up at work but managed to get over $160,000 a year for her lack of effort. Except for the two friends and, at times, Imran, himself, none of the family did much, if any, work. Few of the 80 House members they worked for ever saw these IT workers.  Nonetheless, together, they were able to amass $4-5 million in taxpayer money.

Motivation

The pure lack of interest in cybersecurity by Democratic House members made them low hanging fruit for these scammers. It was simply a network waiting to be exploited. Add the family’s need for money into the equation and some sort of scam was bound to develop. Money seemed to be the family’s main motivation. The fact that Imran was arrested for stealing equipment underlines how important money was to the family. According to a police report, they were keeping their mother hostage so that they could keep her from inheriting money and property from her dying husband. They planned on getting it instead.  Did they have a plan to monetize the information they found on the computers of the 80 representatives they worked for? That remains to be seen, but, seeing their all-pervading lust for money, it would surprise no one.

Some have suggested that they may have had political motivations and connections to radical Islamists. These investigators point to dealings the brothers had with Dr. Ali al-Attar, a doctor who had to flee the U.S. before being arrested for medical fraud. He is said to have ties to radical Islamist groups. Abid apparently borrowed $100,000 from him to start his car dealership and never paid him back. Such a political connection is possible but, based on the available evidence, it is, at this time, weak

What could they have done?

 If this group really wanted to do damage, they could have done quite a bit. As IT administrators, they would have had access, not only to individual devices, but to the servers and all the information they would hold. It’s not clear that they thought this far ahead. They seem more like the type of criminals who would look for easy money, such as that gained from selling stolen equipment or taking money designated for equipment and using if for themselves. That said, here is a list of what they could do to make money if they wanted to.

They could…

Steal sensitive data, such as passwords, login credentials banking information, credit card data, personal information about supporters and contributors and either use this information for themselves or sell it.

Download sensitive information from devices to a USB for future use or send this sensitive information to cloud storage.

Install malware to remotely hack the computer/network whenever they wanted to.

Install keyloggers to gather information.

Leak information for political or monetary reasons

Blackmail House members or others for money.

Set up a ransomware attack for financial gain.

What evidence do we have?

In an exclusive interview, Wasserman Schultz told South Florida’s Sun Sentinel  newspaper last week that she was told that the case against Awan and his family involved “procurement violations and data transfer violations.” She said data had been sent “outside the secure network, which I think amounted to use of apps that the House didn’t find compliant with our security requirements.” She mentioned that Imran was using Dropbox, which, apparently, was one of the forbidden apps.  She expressed her belief that other IT workers did the same thing but were not being investigated.

These remarks from Wasserman Schultz about Imran setting up a Dropbox account are far from reassuring. To me, it shows that she is simply technologically naïve. Why would Imran install Dropbox at all? Maybe because this would be a good way to transfer documents from Wasserman Schultz’ computer to the cloud without leaving any suspicious storage files on her computer. Maybe he worried about leaving log traces of a USB download, as in the image below.

usbview

USB Activity as shown on Nirsoft’s USBLogView utility

 It would be easy for a good administrator to track any Dropbox use, but Imran may have just been taking advantage of Wasserman Schultz’ and other’s lack of technological knowledge. We know nothing about the extent of Imran’s own cybersecurity knowledge. It could have been very basic. Maybe he believed, like some do, that cloud storage is safer. It would certainly keep the House members he worked for from accessing any files stored there. The fact remains that, if he had installed Dropbox on other members’ computers, it would look decidedly suspicious. He could, then, give anyone he wanted access to these stored documents or access them himself whenever and wherever he needed them. I’d be interested in seeing what investigators find in his Dropbox account, assuming these files were not deleted before he was arrested.

Evidence of Cybersecurity Naiveté

Nearly every media outlet reporting on this story remarks on how unconcerned Imran’s employers were about his being investigated. Wasserman Schultz didn’t even fire him until after he was arrested. “I believe that I did the right thing, and I would do it again”, she said during the Sentinel interview. She claims she had not seen enough evidence to fire Imran. “I had grave concerns about his due process rights being violated.” “I was presented with no evidence of anything that they were being investigated for. And so that, in me, gave me great concern that his due process rights were being violated. That there were racial and ethnic profiling concerns that I had.”

This last point should not be taken lightly. Democrats, by a wide majority, believe in promoting diversity and being politically correct. This view may have allowed the Awan family to bypass normal hiring standards. It may also have allowed them to continue in jobs that they were all under-performing in. The fear, as expressed by Wasserman Schultz, that firing them may look to others as undermining diversity or supporting ethnic profiling may have made some representatives look the other way. The Awans had forced them into an uncomfortable ethical corner.

And then, there’s apathy. According to the Daily Caller, one IT technician who works with the Democratic House members noted, “there’s no question about it: If I was accused of a tenth of what these guys are accused of, they’d take me out in handcuffs that same day, and I’d never work again,” But what baffled other IT workers most was that “members of Congress have displayed an inexplicable and intense loyalty towards the suspects.” “Members were fiercely protective of the business, despite objectively shoddy work and requests for computer help routinely ignored for weeks.” One contractor who works for the House complained that “there’s networkers meetings once a week and I never saw them ever come to them. We have an email group; I never saw them contribute or reply.”

One IT worker told a story of an angry staffer who complained about Imran taking so long to fix his computer. ‘I’m not going to pay my invoices until you fix my computer,’ and Imran went to the member, and they fired [the staffer who complained] that day. Imran has that power.” Pat Sowers, who has worked on IT with House members for years admitted that “I love the Hill but to see this clear lack of concern over what appears to be a major breach bothers me.”

This lack of interest by affected House members has led some to suggest that the Awans may have been blackmailing them. Sowers noted, “I don’t know what they have, but they have something on someone. It’s been months at this point with no arrests. Something is rotten in Denmark.” This angle cannot be ignored, but it is only speculation at this point.

In the end, it seems the Awans took advantage of technologically naïve House members and used the members’ own support for diversity against them. Details are lacking in this case but, hopefully, these will emerge when the case goes to trial on August, 21.

 

 

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s