|NEC member Rong Chhun speaks to the press about candidate lists for the upcoming commune elections yesterday in Phnom Penh. Pha Lina|
NEC shrugs off database hack
Phnom Penh Post | 19 April 2017
Officials and foreign donors yesterday sought to play down concerns over the security of the National Election Committee’s voter list, after anonymous leaker “Thleay” released a video appearing to show manipulation of the database and the NEC confirmed it had been hacked.
The European Union and Japanese government have been major donors to the voter registration process, which saw 7.6 million of the more than 9 million eligible voters registered last year. The ambassador to Cambodia said the technical flaw had been corrected by experts.
The voting list is hugely politically sensitive after opposition parties claimed the 2013 election was stolen by the ruling CPP and ahead of commune elections in June and national elections in 2018.
“Thleay”, which means “leaks” in Khmer, last week released a YouTube video showing what appeared to be the hacking of the NEC’s online database of voters and alteration of one of the entries. The hacker can be seen changing Prime Minister Hun Sen’s name on the list to “Piseth Pilika” – a provocative reference to the late dancer and alleged mistress of the premier.
The hack was apparently conducted using an “SQL injection” that took advantage of vulnerabilities in an online form that allows users to look up their voter information. By exploiting the vulnerability, attackers were able to run their own queries and alter database entries.
NEC spokesman Hang Puthea said the body had detected the hack before the Khmer New Year celebrations and maintained the hacker was only able to change details on the webpage, not the actual list, which is maintained offline.
“We already have [security] measures so the hacker could not go in deep into the list,” he said. “The source of the voter list is in a safe place and has no internet linked to it.”
Asked if authorities were investigating the breach, Puthea declined to comment. Chea Pov, director of the National Police’s cybercrime department, also declined to comment.
The creation of a new voter list, as part of wider electoral reforms, was part of the political deal struck by the two major political parties in the aftermath of the 2013 national elections, when the opposition CNRP contested the result that gave a narrow victory to the CPP.
George Edgar, EU ambassador to Cambodia, said the main voter registration system was separate to the online database, which was only a copy of the offline database.
“We understand that when they became aware of information on the hacking risk, the NEC closed the voter register website,” he said via email. “It has since been reactivated, and restored as a new copy from the original vote register.”
Cybersecurity expert Niklas Femerstrand told The Post that SQL injections were a critical vulnerability in web applications, and noted that even if the main database was offline, the same intrusion could be used to manipulate it if the main list was maintained on the same internal network.
“For this reason it is strongly recommended the NEC considers the database server as fully compromised taking necessary action to reinstall it from scratch,” he said in a message.
Yesterday, the NEC also said it would hand out paper notifications over the next month to each voter informing them of their polling station, but stressed that the notes weren’t a replacement for the ID cards required to cast a ballot.
Meng Sopheary, the opposition Cambodia National Rescue Party’s head of election affairs, expressed concerns that the process of handing out the notifications – which will involve commune councillors, a majority of whom come from the CPP – could be used to improperly campaign among voters.
However, Tep Nytha, secretary-general of the NEC, said election committees consisting of NEC officials, commune councillors and observers would oversee the process, thereby preventing any politicking prior to the two-week campaign period starting May 20.