1. All accounts in the integrated electronic electoral management system are based on authorizations contained in the IEBC IT Access control and user access management policy.
2. The Access control list provided for only 341 users. Between 6th August 2017 and 22 August 2017:
a. There were 3395 failed login attempts
b. There were 3851 successful log in attempts
3. The KIEMS RTS user accounts:
a. Gave read only authorizations;
b. Deletion of files was not granted;
c. Provided for configuration of election settings and user management. However from the Access Control List no one was granted these privileges.
4. Contrary to IEBC IT Access Control and User Access Management Policy, user accounts were misused by both internal and external parties as follows:
a. Access was granted to strangers who were not identified by role and who were not defined in any access lists. Among these are vendors, anonymous users using Gmail accounts, Morpho and SCYTL.com and Administration staff who were noted to be logging into the KIEMS Kits between 08th August 2017 and 22nd August 2017. Eg aash003@gmail.com, bernwafukho@gmail.com, carles.garcia@scytl.com, abir.chaari@groupe-telnet.net among many others.
5. The Chairperson’s account was used multiple times to transfer, delete and modify files through the File Transfer Protocol Server which was the mechanism through which all Forms including forms 34 could be uploaded onto the IEBC server.
6. The Chairperson’s user account alone had 9934 transaction logs.
a. The account used an IP address that was not part of the IEBC Partner addresses (41.212.16.248) a wananchi network IP address.
b. Examples of some of the transactions noted from this account include:
i. The account uploaded Form 34B for Jomvu Constituency
ii. 0n 09th August 2017 the account downloaded, re-uploaded and deleted form 34B for Bureti Constituency;
iii. On 13th August 2017 this transferred the folder for Kisumu Central Constituency.
iv. Sample transactions are included in the Annexure marked “A” to this report. It is titled FileZilla Server (FTP server) – Report.
7. There were cases of use of non partner IP addresses eg wananchi and liquid telcom 41.60.238.138
8. Forms 34A and 34Bs were posted by Constituency Elections Coordinators (CEC) at constituency level instead of from polling stations during and after the election.
9. There is no trace of data originating from any polling station. This raises questions whether data on the server came from the polling station.
10. Some constituencies have no trace of any Form 34B uploaded on to the server.
11. In other constituencies Form 34B were uploaded more than once.
12. There were several instances of uploading files and retrieving them by various users.
13. Only 277 users accessed the FTP server between August 6th 2017 and 17 August 2017 yet data was supposed to be uploaded from each polling station.
14. There are instances of one user using multiple IP addresses to access the FTP server. Eg Jlimaris@iebc.or.ke used 10 different IP addresses contrary to the static IP address allocation for the KIEMS Kits and the access control policy.
15. There were renamed or modified forms in various constituencies as seen from the FTP Server logs provided by IEBC
a. Constituency Elections Coordinators (CEC) made various modifications multiple times eg:
b. vkimelil@iebc.or.ke from sotik in bomet county was able to install software applications on 09th august 2017 among other interventions
c. The CEC for Kibwezi East fwaitah@iebc.or.ke uploaded the same form 34B more than once at different times.
d. nmaftah@iebc.or.ke made modifications on Jomvu Form 34B
e. asenge@iebc.or.ke deleted form 34B from changamwe constituency
16. Some accounts granted were misused to carry out unauthorized and malicious activities.
a. There were a total of 8300 delete commands.
b. 7954 delete commands were successfully executed between 8th August 2017 at 2232hrs and 17th August 2017 at 1319hrs.
17. File Formats
a. Different file formats were uploaded on to the FTP server which shows there no input controls. Some files were in editable formats such as EXCEL AND WORD DOCUMENTS.
(The Statutory Forms came in hard copy already printed therefore the system should not have had editable file formats)
18. Mismatched user privileges. One user vkimelil@iebc.or.ke is a CEC from sotik bomet was not a privileged user to install software application on a IEMS. No controls.
19. Fire walls
a. A fire wall controls access or traffic in and out of a server with restricted server.
b. On the 8th of August there was no traffic on the firewall. Traffic started flowing from the 12th August 2017 at 2.44 CEST (-1GMT)
c. The amount of data in terabytes per second was the same for both incoming and outgoing traffic into the server.
d. IEBC refused to provide the firewall rules.
e. IEBC refused to provide Certified penetration test.
20. As at the time of preparing this Report most critical documents under the Order of Court had not been supplied and all parties agreed.
The IEBC server report is damning, strange IP addresses accessed the IEBC server! The below IP addresses accessed the file server even though they do not belong to the IEBC IP address inventory:
Leave a Reply