Thursday, 24 July 2014

Timor Leste - They don't really care about us...

Introduce. My name is A. Without a last name.
I was born in Indonesia. As a CEH, my profession of computer network security consultant.
This new year I follow the news and to vote in the Presidential elections Indonesia.
Today July 23 2014 I read the various posts. Many ask: Is the presidential election took place in 2014 with honest and fair?
I may have the answer. Possible. My writing may answer the question. May also even open many new questions.
However earlier apologies. I am not a writer. We are sorry if my language is not good. I'm trying to make a short and effective.
This paper is aimed to those of you who are curious.
Also to elect a presidential candidate, Jokowi pack. In order for IT systems later in 2019 elections could be better than now. So that no more that cried foul.
Also for a presidential candidate is not elected, Mr. Prabowo. Because you must be curious. Also for president now, sir SBY. Who knows, the father was also curious.

Also to the designers and IT systems admin election 2014: Raden Santoso, Nana Indra, Utian Ayuba, Andy Nugroho, Yoga Dahirsa, Muhammad Hafidz et al.

Of course, also to the members of the Commission: Husni Kamil Malik, Kurnia Rizkiyansyah Ferry, Ida Budhiati, Sugit Pamungkas et al.

Consider it my contribution. For shared learning materials. That Indonesia is safer. Indonesia great. Indonesia rose.

7 April 2014

On 7 April 2014, I noticed a fascinating phenomenon.

Hackers and crackers also have the right to vote. Had political rights. Also have the right to campaign to support the number one or number two.

So great was the spirit of the hackers and crackers in the 2014 Presidential Election. Most of the second support. Although there is also the number one support.

This is my conclusion after seeing so many candidate ads on Google and YouTube. Ads are fine. Advertising also fine.

Though there can be no presidential ads on both sites. Google prohibits political advertising in Indonesia. In any form. But ...

They must realize the power of Google in limited ad filtering and blocking. This vulnerability is exploited.

There are also so excited, a lot of people hacked the site, converted into pages for promotion or disfigure that not supported.

They are trying to influence perception. Perceptions affect the results.

Their efforts make me ask. In addition to disseminating information to influence perception, what else can they do?

Get hackers and crackers sympathizers hacked into IT systems KPU candidates? And directly affect the outcome? I tried it.

Security Gap # 1: Email the Commission Members

To understand how the Commission IT systems from the information I need. I started looking for email addresses of members of the Commission.



I found this document all email addresses are active KPU commissioner used in this document. Six of seven using a free email.

I'm so ask. Organize elections not work playfulness. Why use a free email that is easily hacked? What might be intentional?

Ferry seems Kurnia is the youngest of the seven members of the Commission. Usually the youngest was the most involved IT affairs.

I send a phishing email to the Ferry. Less than two hours, I was able to access and read all the emails I have ever received and sent.

What I found made ​​me confused. I am sure the members of the Commission, and the Commission IT system designers not just anybody.

But they like to make everything so easy for a man like me has no intention to get into the IT system KPU.

Security Gap # 2: send Username and Password in Email

The first thing I did when opening the mail box one member of the Commission is looking for the word "password". I was surprised.

I can direct to SILOG password. Logistics System.



I also can password used Dropbox to store copies of data for the entire Indonesian voters.



Password to the system can also count Commission estate. Ya. It turns out that the Commission has a system that somehow the real count is not shown on the website so that the public should count themselves as kawalpemilu.org website.



Can also manage passwords for the Commission's website. Can also password for SIDALIH, voter data system. Can also passwords for many other systems.

It also makes me confused. Granted various passwords sent by the admin via email. Is a hacker wants to make it easier to enter the system?

Note: Many passwords are still used in this screenshot ... It makes me so ... Sorry if it's hidden so curious.

Security Gap # 3: There's Google Docs Username and Password

My surprise. Email this really beyond logic and way of thinking. I found an email sent by the IT system admin to all members of the KPU KPU. GOOGLE DOCS contents with a list of all passwords Commission IT systems.

I became really suspicious, administrators and members of the Commission did want to facilitate the hackers and crackers to break into the IT system of the Commission.

Moreover ...

Security Gap # 4: Easy Password Predictable Pattern

For example, this SSH password to KPU website I've ever used: 4dm1n80njol @ w1w1k. Username: kpuadmin.

Password root shell / MySQL: m3rd3k41945!

Many IT system password Commission using the same pattern. Is so easy to remember ... Or to be easily hacked. Sorry if I think that is a no-no, because I was trained to look at patterns.

Security Gap # 5: All Commission Members Can Edit List of Voters at will

This is the Voter Data System (SIDALIH) KPU. With this system the Commission set names entered Voters List (DPS) and the voters list (DPT).
Addition or subtraction of the names of voters can be done from this system. This is crucial because in Indonesian armed with enough voters can choose invitations without needing ID cards.
I am a layman. But a big question for me. If you want safe: Why all the members of the Commission DPT can edit at will? Why is access granted by the admin not only read only?
Edit right decision is, of course deliberate decision, not likely an accident, give very great authority for each member of the Commission to play with the number of voters. Reduce or add.
It could be if there is communication with the members of the Commission that a presidential candidate's campaign team, or if there is a hacker or cracker supporters of presidential candidate coming into the system like me ... It could add or subtract new voters ... voters in certain areas .
Those who can not choose, be given the right to vote. They are known to pick a particular candidate, could revoked their right to vote ... With easy. It's easy.
Moreover, for every entry ... No info or log publicly, who is last to edit let alone edit history.
Cracks were happy ... For those who have good intentions.
Security Gap # 6: All Commission Members Can Edit Sound Amount Paper Delivery at will
Logistics System (SILOG) KPU. With this system the Commission governing the distribution of ballots to all regions / TPS. Addition or subtraction delivery ballots can be made ​​from this system.
My question is about the same as SIDALIH SILOG.
I am a layman. But a big question for me. If you want safe: Why all the members of the Commission can edit logistics such election ballots at will? Why is access granted by the admin not only read only?
Sorry if this is like a repeat. This decision, of course, a deliberate decision, not likely an accident, give very great authority for each member of the Commission to play with the number of ballots.
It could be if there is communication with the members of the Commission that a presidential candidate's campaign team, or if there is a hacker or cracker supporters of presidential candidate coming into the system like me ... It could send more ballots to certain areas. It's easy.
Moreover, as in SIDALIH ... For every entry ... No info or log publicly, who is last to edit let alone edit history.
Appreciation: System Scan Form C1
In making this post, I feel I have to be fair. If there is a security hole, I have to say. If there is a best practice that is done, my appreciation.
C1 form a system scan made ​​by the Commission team I think is very good. Application interface design is simple, not a lot of stuffing. It certainly helps boost system utilization.
Presentation C1 on the web pilpres2014.kpu.go.id also good. Simple and easy to use by anyone.

C1 Management makes the perception that the election fair and square. Hardly likely to affect the results of the election if the scan C1've collected all of the servers Commission.

But I have a question. The question is quite large. Admin make a real count applications, specifically for the members of the Commission at the address http://103.21.228.33/internal - why this data is not opened to the public?

Why force the public to conduct mutual cooperation of hundreds of thousands of data entry form C1? Though it has no real count ...

Just a question just after it. There may be self-assessment ...

conclusion
Back to the original question: Is the 2014 Presidential Election took place with honest and fair?
I do not know. Too many areas, too many polls, too many voters to be able to know the name of the game with SILOG or SIDALIH.
But two things are certain. First: Anyone who can have access to SILOG and SIDALIH and have no intention of winning candidate number one or number two, especially before the month of May 2014, and had the ability to coordinate with a successful team on the field (TPS TPS, where the villages that need to be exceeded ballots ... the names of what needs to be added or subtracted from the system) can greatly affect the outcome of the presidential election in 2014.
Second: Not at all difficult to access all IT systems KPU. In fact I suspect ... As is made so easy for hackers and crackers who want to enter. What is it?
Hopefully not see why. Hopefully the security gaps that I write here ... It is a mistake that was not intentional.
Because anyone who has access to the IT system the Commission ... may affect who is elected President.
The President has the power to 250 million population country. 2,000 trillion budget. 600,000 soldiers. The velocity of money is almost 10,000 trillion.
Because if it was intentional ...
It's easy ... It could be hundreds ... thousands ... probably millions of voters "new". Creations of those who have access to SIDALIH.
It could also be hundreds ... thousands ... probably millions of ballots were "more coincidence". Creations of those who have access to SILOG.
Sorry if this post so raises new questions.
Thus my writing. Hopefully this is helpful.
A.
Footnote: I'm a hacker. Not a cracker. I do this out of curiosity audit. Not because there are no good intentions.
However, Indonesian law does not distinguish. To avoid the possibility of criminal ... I wish to REMAIN anonymous.
Source: Audit-Commission
Original Title: IT System Security Audit Commission 2014 presidential election

No comments:

Post a Comment