The offensive approach to Ghana’s voter data exposure

Jean Mensah

A few days ago, the voter registration details of over 15 million Ghanaians were uploaded and circulated through various media platforms via google drive. However, the source of the publication has not been completely verified, and the legal authority to publish this data is equally under discussion. The above stated are not the primary concerns of cybersecurity experts.

The CIA and AAA models

CIA model stands for Confidentiality, Integrity, and Availability. AAA model represents Authentication, Authorization and Accountability

Security main focus is based on protecting the confidentiality, integrity and availability of data. Security cannot be achieved through Technology alone. It involves people, procedures, and products. Humans are regarded as the weakest link in the chain of security. Data must be private. Authorized users should have the right to see it as well as unauthorized user should be restricted from viewing the contents. Data in transit via the Internet should be free from modification. If a piece of data is tempered with, then the whole content of the data is regarded as being corrupt. Permitted users of a service should be able to access that service regardless of where and when to work on it. The data should be available to them to make it possible for them to do their job efficiently. Every organization such as the electoral commission of Ghana should require authentication, which is the process of proving that a user is who he or she claims to be. When claim to be somebody, that is identification, but when you can prove that, then it is regarded as authentication. Some possible ways one can prove authentication can be by something you know, like a password, something on your body like a fingerprint or something you possess like a key. A combination of more than one of these possible ways is regarded as multi-factor authentication. Authorization means providing the correct level of access that a user should have based on their credentials. Any authorization beyond the normal job function opens the door for malicious violations of confidentiality, integrity, and availability of data. Keeping track of what users do when they access a system is crucial. This is necessary in the case of forensics, which can be vital during a security incident.

The rise in cyber-attacks during this COVID-19 era

There has been a huge rise in the number of breached records of governments and individual politicians in the first quarter of 2020, according to research from Atlas VPN.  The study showed there were 17 million leaked government records during this period: a 278% increase compared to the first quarter of 2019. In February, the records of 6.5 million Israeli citizen voters were leaked online and in the same month, the government of Quebec, Canada, admitted to a data breach that has potentially exposed the records of 360,000 teachers. The resources are considered valuable and are dumped onto the internet and sold on the dark web at cheaper prices. Nation sponsored attackers leverage on the

covid-19 to craft emails that lure organizations into giving out sensitive data.

Security concerns

Scenario 1:

Clickjacking vulnerability in a system is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. An attacker could craft a malicious page that would replicate the site of the electoral commission and infect the Ghana voter data with a malicious command.

Anyone can be tricked to download files without their intention. The file gets dropped unto the victim (tricked citizen) and gets executed causing a full compromise on the system.

Scenario 2:

From the exposed vote data, an attacker can create a fake voters registration card to impersonate anyone. The attacker could possibly find a vulnerability in an online site such as tonaton, jumia and cause a reduction in pricing by manipulating the cost from 1,000gh to 1gh. The attacker then orders whatever he or she wants and upon delivery, they can verify their identity with the fake crafted voter ID with the dispatch riders.

Mitigations and preventions

Cybersecurity awareness training should be encouraged to help state institutions like the electoral commission of Ghana and to further understand the risk involved in the release of confidential data to the general public on the Internet, and how attackers or malicious users can leverage that for their own gains.

A much secured platform with proper access control and security methods to ensure the confidentiality, integrity and availability rules must be established

The Electoral commission of Ghana must identify and document security requirements early in the development stage with quality assurance techniques in check. Further practices can be effective in identifying and eliminating risk in the application. Penetration testing, and vulnerability assessment should all be incorporated as part of an effective quality assurance program.

Threat modelling can be used to anticipate the threats that could affect the software or application. Threat modelling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in designs, code, and test cases.

The author is the Founder/CEO Inveteck Global & Security Researcher | Member, Institute of ICT Professionals Ghana)

For comments, contact [email protected]; +233 (20)236-6048

Leave a Reply