NEC member Rong Chhun speaks to the press about candidate lists for the upcoming commune elections yesterday in Phnom Penh. Pha Lina |
NEC shrugs off database hack
Phnom Penh Post | 19 April 2017
Officials and foreign donors yesterday sought to play down
concerns over the security of the National Election Committee’s voter
list, after anonymous leaker “Thleay” released a video appearing to show
manipulation of the database and the NEC confirmed it had been hacked.
The European Union and Japanese government have been major donors to
the voter registration process, which saw 7.6 million of the more than 9
million eligible voters registered last year. The ambassador to
Cambodia said the technical flaw had been corrected by experts.
The voting list is hugely politically sensitive after opposition
parties claimed the 2013 election was stolen by the ruling CPP and ahead
of commune elections in June and national elections in 2018.
“Thleay”, which means “leaks” in Khmer, last week released a YouTube
video showing what appeared to be the hacking of the NEC’s online
database of voters and alteration of one of the entries. The hacker can
be seen changing Prime Minister Hun Sen’s name on the list to “Piseth
Pilika” – a provocative reference to the late dancer and alleged
mistress of the premier.
The hack was apparently conducted using an “SQL injection” that took
advantage of vulnerabilities in an online form that allows users to look
up their voter information. By exploiting the vulnerability, attackers
were able to run their own queries and alter database entries.
NEC spokesman Hang Puthea said the body had detected the hack before
the Khmer New Year celebrations and maintained the hacker was only able
to change details on the webpage, not the actual list, which is
maintained offline.
“We already have [security] measures so the hacker could not go in
deep into the list,” he said. “The source of the voter list is in a safe
place and has no internet linked to it.”
Asked if authorities were investigating the breach, Puthea declined
to comment. Chea Pov, director of the National Police’s cybercrime
department, also declined to comment.
The creation of a new voter list, as part of wider electoral reforms,
was part of the political deal struck by the two major political
parties in the aftermath of the 2013 national elections, when the
opposition CNRP contested the result that gave a narrow victory to the
CPP.
George Edgar, EU ambassador to Cambodia, said the main voter
registration system was separate to the online database, which was only a
copy of the offline database.
“We understand that when they became aware of information on the
hacking risk, the NEC closed the voter register website,” he said via
email. “It has since been reactivated, and restored as a new copy from
the original vote register.”
Cybersecurity expert Niklas Femerstrand told The Post that
SQL injections were a critical vulnerability in web applications, and
noted that even if the main database was offline, the same intrusion
could be used to manipulate it if the main list was maintained on the
same internal network.
“For this reason it is strongly recommended the NEC considers the
database server as fully compromised taking necessary action to
reinstall it from scratch,” he said in a message.
Yesterday, the NEC also said it would hand out paper notifications
over the next month to each voter informing them of their polling
station, but stressed that the notes weren’t a replacement for the ID
cards required to cast a ballot.
Meng Sopheary, the opposition Cambodia National Rescue Party’s head
of election affairs, expressed concerns that the process of handing out
the notifications – which will involve commune councillors, a majority
of whom come from the CPP – could be used to improperly campaign among
voters.
However, Tep Nytha, secretary-general of the NEC, said election
committees consisting of NEC officials, commune councillors and
observers would oversee the process, thereby preventing any politicking
prior to the two-week campaign period starting May 20.
No comments:
Post a Comment