Data and technical information provided by the Supreme Court to a police forensic team during the Jumhooree Party’s case against the Elections Commission (EC) could not have been used to access the commission’s web servers, the Maldives Police Service has said.
Police said in a press release yesterday (October 21) that the forensic team offered technical assistance sought by the court to examine the evidence of alleged electoral fraud.
The police team were provided a printed list of the marked voters register and the access logs for the EC’s ballot progress report system (BPRS), which contained the IP addresses of those who had accessed the server, along with date and time.
“This is not information that could be used to penetrate any web site or web server,” police said, adding that the Supreme Court did not share any data from the EC aside from the BPRS logs.
“As sufficient time was not available to analyse the aforementioned logs and because the Elections Commission did not provide technical information concerning the BPRS, this service’s forensic team was unable to conduct a technical analysis,” the press release stated.
The police statement concluded with an appeal to all state institutions to protect and securely maintain “online systems containing information related to Maldivian citizens” while offering assurances that police would provide any assistance requested to ensure protection of such systems.
The police statement follows remarks by EC Chair Fuwad Thowfeek on state broadcaster Television Maldives (TVM) on Saturday night claiming that the commission’s data was being “destroyed” after technical information and logs were submitted to the Supreme Court.
“Previously, access to the system was very restricted to very few people, not just anybody could access it. But now the system is open. Now we are seeing people accessing and changing our database. No one had the opportunity to access the system in the annulled first round of presidential elections. People are destroying our data,” Thowfeek had said.
“So we cannot give the kind of certainty they [political parties] want, NCIT [National Centre for Information Technology] cannot give that kind of assurance now either. Earlier, they said they could not notice any external access in the annulled first round of election. They have not said anything yet [about the revote]. But I am certain, I know that if they check now, they will find there are ways for people to access the database. Because we see changes that should not take place happening to our data.”
Securing the IT system
The NCIT meanwhile said in a press statement on Sunday (October 20) that the centre’s staff have been working with the EC to secure the commission’s database and IT system following the Supreme Court judgment annulling the September 7 election.
In point 16 of the guidelines imposed on the EC by the Supreme Court verdict on October 7, the EC was ordered to reform their IT system in accordance with the “professional opinion” of the NCIT and other relevant state institutions.
Following consultations with the EC on October 8, the NCIT recommended immediate measures concerning “the most sensitive problems”, which the EC promptly implemented, the press release stated.
As interruptions to the EC systems could occur during the process, NCIT officials were allowed to establish a mechanism ensuring security on October 18 after the voter registry was printed – one day before the re-scheduled vote was due to take place.
The NCIT did note, however, that as the mechanism was set up on October 18, the centre was unable ensure external parties did not access the EC server and database before that date.
The NICT press release stressed that it had not sought any usernames or passwords required to access the EC systems and database during the process of securing the servers, adding that this information was not required to implement the recommended security measures.
“Therefore, if anyone apart from those authorised by Elections [Commission] accessed the system and database, it has to be further investigated,” the NCIT stated.
Following Thowfeek’s remarks on TVM, the press release stated, the NCIT had asked the EC to share relevant information concerning the alleged security breach, but was yet to receive a response.
The police press statement meanwhile revealed that on August 14 it was alerted to information from the Department of National Registration’s (DNR’s) ID card database, along with the names of registered political party members, being published on a website (http://maldives.annonymous.lv).
Police discovered that the information was taken from an EC web server (p.elections.gov.mv) as the server’s home page was hacked, the press release explained.
However, when the security breach was brought to the attention of the EC, police said that the commission allegedly denied the incident took place and refused to provide cooperation to the police investigation.
The site was blocked by the Communication Authority of Maldives (CAM) on August 20 upon request by the police, after which it was taken down with foreign assistance, police revealed.
Moreover, police found out that an automatic virus was downloaded to computers of persons visiting the page on the EC’s website that detailed the number of registered members of political parties.
Following the discovery, police met with EC Chair Thowfeek and other officials on August 19 to discuss the security issues and to share the findings.
“At the meeting, the commission’s technical staff said the Elections Commission’s web servers were constantly attacked and that they were blocking the IP addresses of the attackers,” police said.
While the EC was requested to provide the noted IP addresses, the police statement said that the information has yet to be sent.
Speaking at a press conference last night (October 21), Thowfeek said that NCIT officials were working ceaselessly with the EC IT staff but had not yet completed a full report on the security issues.
The NCIT has offered assurances that the EC servers and database would be secured before preparations were underway for the presidential election scheduled for November 9, Thowfeek said.
“We are proceeding with the assurance of the technical staff,” he said.