NBA Elections 2020: Aspirants Express Concern Over Potential Election Manipulation
…Olumide Akpata Writes Electoral Committee …Engages IT Security Expert to Conduct vulnerability assessment of NBA Portal
As the national elections of the Nigerian Bar Association (NBA) draw close, some candidates in the elections, have openly expressed their concern over the administrative and technical handling of the voters’ register and the e-voting platforms respectively, which according them may result in the disenfranchisement of voters and the possible manipulation of the forthcoming elections.
In a letter dated July 20, 2020 to the Electoral Committee of the Nigerian Bar Association (ECNBA) frontline candidate for the office of the President of the association, Olumide Akpata highlighted critical issues identified by users of the portal, as well as an IT security firm, whose services Akpata had engaged to carry out investigations into the integrity of the portal. Some of these issues experienced by members include, a voter’s list flawed with anomalies, including duplicity of names and the inclusion of non-persons, among other things.
The letter read in part: “Even more distressing is the fact that the NBA portal on which the verification exercise is being conducted appears not to be secure and can be easily manipulated. A couple of days ago, I got a particularly alarming complaint from a supporter: “…they have been messing my portal up, today my branch will change and the next, my date of birth or my state of origin. Someone has access to the back end to mess up…You don’t get email when it is touched from the back end.” Since then, I have read similar complaints on various social media platforms”.
Akpata stated that, refusing to take the complaints of several lawyers at face value, he engaged the services of an IT security firm to carry out investigation into the integrity of the portal. He enclosed the report in his letter, which showed, amongst other things, that the portal is porous and has several vulnerabilities which mischief makers can exploit for or against a candidate.
He drew the attention of the ECNBA to the fact that the final voter’s list “was flawed with anomalies, including duplicity of names, inclusion of non-persons, such as the infamous “Opening Balance” and failure to include names of people who had paid their Bar Practicing Fees and Branch dues as at March 31 2020. The letter read in part “It also raises the question of why and how such obvious duplications were even possible. There is even the now notorious and likely non-existent “Opening Balance” whose year of call is, unsurprisingly, not indicated. One wonders how that entry got into the voters’ list if, indeed, the list exclusively contains names of members who paid their Bar Practising Fees (BPF) and Branch Dues no later than 31 March 2020”
Akpata further opined the opaque nature of disclosure by the ECNBA of the technology and modalities for the elections.
He said, “We have not seen any demonstration or test-run of the proposed technology and are therefore not able to ascertain that it would work at all, to say nothing of guaranteeing free, fair and transparent elections,” adding that he had refrained from writing the ECNBA for a long time out of deep respect for the leadership and members, but noted that it was no longer okay to be silent in the interest of the voting public.
The former Chairman of the NBA Section on Business Law expressed hope that the issues he highlighted in his letter will be attended to; as he urged the ECNBA to publish a complete and accurate list of eligible voters, while releasing a statement from Access Bank showing members who paid their Bar Practising Fees by 31 March 2020.
With hopes that the verification process will be simplified and made more secure, he requested that technology to be deployed for the elections be disclosed and adequately secured to ensure integrity of the polls.
Another candidate for the same office, Dele Adesina, SAN also recently wrote to the Chairman, Electoral Committee of the Nigerian Bar Association (ECNBA) expressing his concerns on some critical issues on the forthcoming NBA National Elections.
In the letter dated 9th July 2020, a community of supporters for the candidate, known as “the DASAN (Dele Adesina, SAN) Group expressed concerns over the same voters list, based on duplication of names, inflation, and ejection of names into the voters’ list, and an accurate numbers of eligible voters. They also queried the non-disclosure of the service providers and the management of the electoral process, by the ECNBA – adding that the candidates have not been actively involved in the process.
In another development, the Economic and Financial Crimes Commission (EFCC) has filed a 14 count charge before a Federal High Court, Lagos against two persons, Sarah Omeigha Ajibola, and John Ozovehe Demide for rigging the August 2018 Nigerian Bar Association (NBA) elections in favour of the incumbent President, Mr Paul Usoro SAN.
In charge no FHC/L/118c/2020, EFCC accused the duo of “conspiring and knowingly altering the e-mail and phone numbers of about 1004 eligible voters of the NBA 2018 elections with the intention that such inauthentic data will be acted upon as genuine during the said election and you thereby committed an offence contrary to section 27(1)(b) over the Cybercrime (Prohibition, Prevention) Act 2015 and punishable under section 13 of the same Act”.
This prosecution is coming at a time the association is preparing for another round of elections. There has been complains and fear in different quarters that the election also might be rigged.
Below is a Vulnerability Assessment Report of The NBA Portal: Vulnerability Assessment Report of The NBA Portal https://nigerianbar.org.ng
In line with concerns citing reports of users on the NBA portal complaints of user password being changed without their initiating such action, and your request for a vulnerability assessment of the Nigerian Bar Association Portal, we carried out a vulnerability assessment of the web platform with IP 188.8.131.52 and came up with the following deductions:
- That the NBA Portal is built on Drupal 8, an Open Source Content Management Software. The platform is a template edited for the NBA.
- That the NBA portal has a vulnerability severity rating between 4 – 7 based on discovered vulnerability exposures.
- That the following vulnerabilities where discovered on the platform:
Cross-Site Request Forgery (CSRF):
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or password, or purchase something.
CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user’s session cookie, basic auth credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request. In this way, the attacker can make the victim perform actions that they didn’t intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website.
Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already. Synonyms: CSRF attacks are also known by a number of other names, including XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.
Note: This attack was exploited few weeks ago on the NBA portal where many users made complaints of their password being changed without their taking such actions personally.
Cross-site tracing (XST):
The TRACE verb supported by most web servers can be manipulated to produce a Cross-Site Scripting attack that results in sending arbitrary HTML to the victim’s browser. The TRACE verb is designed to echo a user’s input and intended for debugging or testing a web server. The TRACE verb is not required for web applications to function (web applications and web browsers usually only need the HEAD, GET, and POST verbs). Usually, an attacker will attempt to manipulate an XST vulnerability in order to present malicious HTML as if it came from a legitimate source. Because TRACE echoes input sent to the web server, an attacker will attempt to create a malicious payload and trick a victim into submitting that payload to the server. The payload then appears in the victim’s browser and may be an attempt to steal session ID information, passwords, or other sensitive information. Although the impact of this attack may be high, it is often difficult to successfully exploit. It is related to the more serious Cross-Site Scripting (XSS) vulnerability; however, Cross-Site Tracing attacks the web server whereas XSS attacks the web application.
Cross-site Scripting (XSS) – With A Severity Rating of 6:
An attacker can do the following damage with an exploit script:
access other sites inside another user’s private intranet
- steal another user’s cookie(s)
- modify another user’s cookie(s)
- steal another user’s submitted form data
- modify another user submitted form data before it reaches the server
- submit a form to your Web application on the user’s behalf that modifies passwords or other application data
The two most common methods of attack are:
Having a user click a URL link sent in an e-mail
Having a user click a URL link while visiting a Web site
In both scenarios, the URL will generally link to the trusted site, but will contain additional data that is used to trigger the XSS attack.
Note that SSL connectivity does not protect against this issue.
The recommendations we propose here are based on professional beliefs, experience and globally adopted standards.
- A Unique Customized Secure Platform Built Specifically For The NBA: An organization with such repute and standard as the Nigerian Bar Association requires a unique software architecture and security framework used to build a customized web portal for all its services.
- Remediation of Security Vulnerabilities: This refers to the process by which vulnerabilities identified are resolved and further threats to the platform is prevented.
- Constant Vulnerability Assessment: There should be a set standard procedure for running assessment and penetration test constantly to keep the platform updated in line with global security standards and its defence capable of deterring any such cyber-attacks.