Monday, March 11, 2013

IEBC: Security Compromise or Poor Project Management discipline

I remember reading this article while in a hotel somewhere in the far east http://www.nation.co.ke/News/politics/IEBC-to-invite-hackers-to-invade-its-systems/-/1064/1449152/-/uko5x7z/-/index.html. I thought to myself, "Hmmm, this is interesting. Challenge accepted, maybe?"

This led me to ask a dozen questions on how prepared we are in running a system of national interest under such a short period of time. In light of what Kenya has experienced in terms of cyber security exposure within the last one year, I cringed at the bold assertion by Oswago "We are confident that our system is tamper-proof. However, sometime in November we will invite those who think they can hack into the system to do it. "

You don't make such a proclamation unless you are 100% +1 sure of what you are talking about. I have audited lots of systems and even after go live, I still have the nudge to continuously test and retest for any loop holes I may have missed. My deepest fear is being blind sided by that 0-day exploit, a stray misconfiguration which leads to compromise. Perhaps Mr Oswago knew something I didn't know; after all he is the CEO. However, I felt that was an ambitious remark and if they indeed would invite "hackers" I would be most humbled to give it a go at the system which would be used in our election.

Many months later, the invite hadn't been sent out. Constantly, I would visit the IEBC website just incase they posted the invite there. So incidentally a few months before the above "invite", IEBC had put out a job advertisement for very specific roles, found here http://www.kenyancareer.com/2012/03/latest-government-jobs-iebc.html
  • Information Systems Auditor
  • Operation Systems Auditor
  • Compliance Risk Officer
Very specific roles in ensuring that a system of this nature is well audited and that every cog moves in sync with all other operational tasks. So question 1: Can the people who filled the above roles please stand up?


In slightly above 30 days to the general election, IEBC now invites "IT Experts" from the various parties to come and assess the system to their satisfaction. Here again not only dont we see a lapse in project management skills but also a clear indication that the system albeit having been tested, wasn't really pushed to it's breaking point. A paramount question is where is the evidence of any sign offs from the above "experts" of course assuming this was run with the project management discipline as we know it? Even more interesting, they commissioned the system for go-live having satisfactorily tested it. So where does the question of "server crashed due to load" come into play?

Let's move to the 20th-22nd Feb. I recall seeing a snippet in the Daily Nation regarding the IEBC having contracted an independent information security auditing firm to conduct one last audit of the system. In an interesting rejoinder to the interviewer I guess, IEBC preferred to keep the name of the firm and/or the auditor secret due to the nature of the task. Bear in mind this is just under 11 days to the polls. 

March 4th and the system is seemingly working flawlessly up until there was a slight glitch. Numbers stopped moving, the rain was hampering the transmission of feeds to the media houses, tension! In a presser held by the Hassan, chairman of the IEBC, he stated that yes there was a technical issue with  the server but they had resolved the issue. However, 3 days later, the chairman was on stage once again, admitting that there was indeed a bug in the system which was purportedly multiplying rejected votes by a factor of 8! How that line of code found it's way into the system is any ones guess. So let us take a step back. When was this line of code discovered? When was it introduced? Did they have an iron clad change management system which forbid anyone from accessing the production system? If the auditors called in on the between the 20th-23rd Feb did their job, were they so unqualified to miss a rogue line of code? Where are the audit results?

As you ponder on these facts, i'll be back with part two of how this affects both you and I in ways we cannot escape with real examples right here at home...

-ty


3 comments:

  1. Iebc should know that IT project Management is not like any other! Inviting IT experts from rival parties can't be a guarantee that they will be told of the loop-holes in the systems unless ethics still exist. As a software developer an error multiplying stuff by x8 is questionable! If it was developed locally did they consult widely? System implementation and testing is a crucial step where although all stakeholders need to be involved, in a crucial system like this it raises questions on how it was done! Well let the fight go and as you say we all cannot escape...

    ReplyDelete
  2. Really useful blog.Good work keeping this updated! Thanks a lot!
    it support services for small business

    ReplyDelete
  3. The rituals of black magic reflected the individuals desire to control universal forces larger than himself. By learning and uniting the specific methods, techniques and rituals of black magic, this individual effected a transformation of his egocentric desire.
    ---------------
    famous astrologer molana ji

    ReplyDelete