Thursday, 24 July 2014

Timor Leste - They don't really care about us...



Forward
ANDR:----Tim Prabowo Temukan 265 Kotak Suara Masih TersegelKamis, 24
Juli 2014 - 17:56 wibQur'anul Hidayat - OkezoneJAKARTA - Tim Advokasi
Prabowo Subianto-Hatta Rajasa menemukan 260 kotak suara dalam keadaan
masih tersegel di Cilincing, Jakart
a
Utara. Temuan tersebut menimbulkan tanda tanya karena rekapitulasi
suara sudah selesai.Ketua Tim Advokasi Eggi Sudjana, mengatakan temuan
itu sudah dilaporkan ke Bawaslu dan Dewan Kehormatan Penyelenggara
Pemilu (DKPP). Sebagai bukti, Eggi mengaku menyerahkan foto."Ditemukan
semalam 265 kotak suara masih diperiksa di daerah Cilincing belum
dibuka. Ini tidak pidana," katanya di Gedung Bawaslu, Jalan MH. Thamrin,
Jakarta Pusat, Kamis (24/7/2014).
http://m.okezone.com/.../tim-prabowo-temukan-265-kotak...


pemilu.okezone.com

 Introduce. My name is A. Without a last name.

I was born in Indonesia. As a CEH, my profession of computer network security consultant.

This new year I follow the news and to vote in the Presidential elections Indonesia.

Today July 23 2014 I read the various posts. Many ask: Is the presidential election took place in 2014 with honest and fair?

I may have the answer. Possible. My writing may answer the question. May also even open many new questions.

However earlier apologies. I am not a writer. We are sorry if my language is not good. I'm trying to make a short and effective.

This paper is aimed to those of you who are curious.

Also
to elect a presidential candidate, Jokowi pack. In order for IT systems
later in 2019 elections could be better than now. So that no more that
cried foul.

Also for a presidential candidate is not elected, Mr.
Prabowo. Because you must be curious. Also for president now, sir SBY.
Who knows, the father was also curious.

Also to the designers and
IT systems admin election 2014: Raden Santoso, Nana Indra, Utian Ayuba,
Andy Nugroho, Yoga Dahirsa, Muhammad Hafidz et al.

Of course,
also to the members of the Commission: Husni Kamil Malik, Kurnia
Rizkiyansyah Ferry, Ida Budhiati, Sugit Pamungkas et al.

Consider it my contribution. For shared learning materials. That Indonesia is safer. Indonesia great. Indonesia rose.

7 April 2014

On 7 April 2014, I noticed a fascinating phenomenon.

Hackers
and crackers also have the right to vote. Had political rights. Also
have the right to campaign to support the number one or number two.

So
great was the spirit of the hackers and crackers in the 2014
Presidential Election. Most of the second support. Although there is
also the number one support.

This is my conclusion after seeing so many candidate ads on Google and YouTube. Ads are fine. Advertising also fine.

Though there can be no presidential ads on both sites. Google prohibits political advertising in Indonesia. In any form. But ...

They must realize the power of Google in limited ad filtering and blocking. This vulnerability is exploited.

There are also so excited, a lot of people hacked the site, converted into pages for promotion or disfigure that not supported.

They are trying to influence perception. Perceptions affect the results.

Their efforts make me ask. In addition to disseminating information to influence perception, what else can they do?

Get hackers and crackers sympathizers hacked into IT systems KPU candidates? And directly affect the outcome? I tried it.

Security Gap # 1: Email the Commission Members

To
understand how the Commission IT systems from the information I need. I
started looking for email addresses of members of the Commission.



I found this document all email addresses are active KPU commissioner used in this document. Six of seven using a free email.

I'm so ask. Organize elections not work playfulness. Why use a free email that is easily hacked? What might be intentional?

Ferry
seems Kurnia is the youngest of the seven members of the Commission.
Usually the youngest was the most involved IT affairs.

I send a
phishing email to the Ferry. Less than two hours, I was able to access
and read all the emails I have ever received and sent.

What I
found made ​​me confused. I am sure the members of the Commission, and
the Commission IT system designers not just anybody.

But they like to make everything so easy for a man like me has no intention to get into the IT system KPU.

Security Gap # 2: send Username and Password in Email

The
first thing I did when opening the mail box one member of the
Commission is looking for the word "password". I was surprised.

I can direct to SILOG password. Logistics System.



I also can password used Dropbox to store copies of data for the entire Indonesian voters.



Password
to the system can also count Commission estate. Ya. It turns out that
the Commission has a system that somehow the real count is not shown on
the website so that the public should count themselves as
kawalpemilu.org website.



Can also manage passwords for
the Commission's website. Can also password for SIDALIH, voter data
system. Can also passwords for many other systems.

It also makes
me confused. Granted various passwords sent by the admin via email. Is a
hacker wants to make it easier to enter the system?

Note: Many passwords are still used in this screenshot ... It makes me so ... Sorry if it's hidden so curious.

Security Gap # 3: There's Google Docs Username and Password

My
surprise. Email this really beyond logic and way of thinking. I found
an email sent by the IT system admin to all members of the KPU KPU.
GOOGLE DOCS contents with a list of all passwords Commission IT systems.

I
became really suspicious, administrators and members of the Commission
did want to facilitate the hackers and crackers to break into the IT
system of the Commission.

Moreover ...

Security Gap # 4: Easy Password Predictable Pattern

For example, this SSH password to KPU website I've ever used: 4dm1n80njol @ w1w1k. Username: kpuadmin.

Password root shell / MySQL: m3rd3k41945!

Many
IT system password Commission using the same pattern. Is so easy to
remember ... Or to be easily hacked. Sorry if I think that is a no-no,
because I was trained to look at patterns.

Security Gap # 5: All Commission Members Can Edit List of Voters at will

This
is the Voter Data System (SIDALIH) KPU. With this system the Commission
set names entered Voters List (DPS) and the voters list (DPT).
Addition
or subtraction of the names of voters can be done from this system.
This is crucial because in Indonesian armed with enough voters can
choose invitations without needing ID cards.
I am a layman. But a big
question for me. If you want safe: Why all the members of the
Commission DPT can edit at will? Why is access granted by the admin not
only read only?
Edit right decision is, of course deliberate
decision, not likely an accident, give very great authority for each
member of the Commission to play with the number of voters. Reduce or
add.
It could be if there is communication with the members of the
Commission that a presidential candidate's campaign team, or if there is
a hacker or cracker supporters of presidential candidate coming into
the system like me ... It could add or subtract new voters ... voters in
certain areas .
Those who can not choose, be given the right to
vote. They are known to pick a particular candidate, could revoked their
right to vote ... With easy. It's easy.
Moreover, for every entry ... No info or log publicly, who is last to edit let alone edit history.
Cracks were happy ... For those who have good intentions.
Security Gap # 6: All Commission Members Can Edit Sound Amount Paper Delivery at will
Logistics
System (SILOG) KPU. With this system the Commission governing the
distribution of ballots to all regions / TPS. Addition or subtraction
delivery ballots can be made ​​from this system.
My question is about the same as SIDALIH SILOG.
I
am a layman. But a big question for me. If you want safe: Why all the
members of the Commission can edit logistics such election ballots at
will? Why is access granted by the admin not only read only?
Sorry if
this is like a repeat. This decision, of course, a deliberate decision,
not likely an accident, give very great authority for each member of
the Commission to play with the number of ballots.
It could be if
there is communication with the members of the Commission that a
presidential candidate's campaign team, or if there is a hacker or
cracker supporters of presidential candidate coming into the system like
me ... It could send more ballots to certain areas. It's easy.
Moreover, as in SIDALIH ... For every entry ... No info or log publicly, who is last to edit let alone edit history.
Appreciation: System Scan Form C1
In
making this post, I feel I have to be fair. If there is a security
hole, I have to say. If there is a best practice that is done, my
appreciation.
C1 form a system scan made ​​by the Commission team I
think is very good. Application interface design is simple, not a lot of
stuffing. It certainly helps boost system utilization.
Presentation C1 on the web pilpres2014.kpu.go.id also good. Simple and easy to use by anyone.

C1
Management makes the perception that the election fair and square.
Hardly likely to affect the results of the election if the scan C1've
collected all of the servers Commission.

But I have a question.
The question is quite large. Admin make a real count applications,
specifically for the members of the Commission at the address
http://103.21.228.33/internal - why this data is not opened to the
public?

Why force the public to conduct mutual cooperation of
hundreds of thousands of data entry form C1? Though it has no real count
...

Just a question just after it. There may be self-assessment ...

conclusion
Back to the original question: Is the 2014 Presidential Election took place with honest and fair?
I do not know. Too many areas, too many polls, too many voters to be able to know the name of the game with SILOG or SIDALIH.
But
two things are certain. First: Anyone who can have access to SILOG and
SIDALIH and have no intention of winning candidate number one or number
two, especially before the month of May 2014, and had the ability to
coordinate with a successful team on the field (TPS TPS, where the
villages that need to be exceeded ballots ... the names of what needs to
be added or subtracted from the system) can greatly affect the outcome
of the presidential election in 2014.
Second: Not at all difficult to
access all IT systems KPU. In fact I suspect ... As is made so easy for
hackers and crackers who want to enter. What is it?
Hopefully not see why. Hopefully the security gaps that I write here ... It is a mistake that was not intentional.
Because anyone who has access to the IT system the Commission ... may affect who is elected President.
The
President has the power to 250 million population country. 2,000
trillion budget. 600,000 soldiers. The velocity of money is almost
10,000 trillion.
Because if it was intentional ...
It's easy ...
It could be hundreds ... thousands ... probably millions of voters
"new". Creations of those who have access to SIDALIH.
It could also
be hundreds ... thousands ... probably millions of ballots were "more
coincidence". Creations of those who have access to SILOG.
Sorry if this post so raises new questions.
Thus my writing. Hopefully this is helpful.
A.
Footnote: I'm a hacker. Not a cracker. I do this out of curiosity audit. Not because there are no good intentions.
However, Indonesian law does not distinguish. To avoid the possibility of criminal ... I wish to REMAIN anonymous.
Source: Audit-Commission
Original Title: IT System Security Audit Commission 2014 presidential election

No comments:

Post a Comment