Ahead of the Nigerian Bar Association election, Olumide Akpata writes a letter to the electoral committee identifying the problems related to the process. He notes that there has been a flaw in the final voters’ list and calls for urgent action to be taken for a transparent election process.

Below are several letter he has written to relevant persons and offices to address the issues related to the election process to achieve a seamless process.

4th Floor, The Octagon, 13A, A. J. Marinho Drive, Victoria Island, Lagos.

Tel: +234 1 4611892, Fax: +234 1 4611 292

Mobile: +234 802 290 4797

E-mail: olu.akpata@templars-law.com

20 July 2020

The Electoral Committee of the Nigerian Bar Association (ECNBA)

National Secretariat

NBA House, Plot 1101

Off Muhammed Buhari Way Central Business District Abuja.

Attention: Tawo E. Tawo, S.A.N.

Learned Silk,

URGENT NEED TO AVERT THE LOOMING DISENFRANCHISMENT OF VOTERS AND POSSIBLE MANIPULATION OF THE FORTHCOMING 2020 NBA ELECTIONS I fi-ust that this letter meets you and yours well and safe.

Let me begin by thanking the ECNBA for its good intent and efforts towards conducting credible 2020 elections into the national offices of the NBA. I wish the ECNBA every success in this crucial exercise which invariably calls for a showing of the highest levels of integrity, fairness, transparency and impartiality.

I am constrained, however, by a deep sense of duty to the NBA and utmost regard for the calibre of persons that constitute the ECNBA, to register respectfully my reservations concerning the persistent issues affecting the voters’ register and verification process as well as the general opacity regarding the conduct of the forth-coming elections. As one of three candidates vying for the office of the President of the NBA in the national elections which the ECNBA has currently scheduled for 29 and 30 July 2020 Gust 10 days away), I am keenly interested in the forthcoming elections being free, fair and transparent. The realities surrounding the electoral process presently, with respect, do not suggest that this would be the case, as I explain below.

A. Seriously flawed final voters’ list

The final voters’ list published by the ECNBA for the forthcoming elections is curious, to say the least. There is tell-tale duplicity of names on that list which raises the question of what would become of the votes of members whose names fall into this category. It also raises the question of why and how such obvious duplications were even possible. There is even the now notorious and likely non-existent “Opening Balance” whose year of call is, unsurprisingly, not indicated. One wonders how that entry got into the voters’ list if, indeed, the list exclusively contains names of members of the NBA who paid their Bar Practising Fees (BPF) and Branch Dues by no later than 31 March 2020. Ironically, whilst the final voters’ list contains both duplicated and apparently nonexistent names, I am informed that it omits a significant number of NBA members who paid their BPF and Branch Dues on time.

B. Frustrating and cumbersome verification process

In addition to the issues with the final voters’ list, the verification regime for the forthcoming elections appears to have the effect of preventing prospective voters from exercising their franchise. In the last couple of weeks, I have been inundated with feedback from members about challenges with verification. In many cases, it takes days for verification emails to be sent whilst some members simply do not get verified no matter how many times they try.

Even more distressing is the fact that the NBA portal on which the verification exercise is being conducted appears not to be secure and can be easily manipulated. A couple of days ago, I got a particularly alarming complaint from a supporter: they have been messing my portal up, today my branch will change and the next my date of birth or my state of origin. Someone has access to the back end to mess up… You don ‘t get email when it is touched from the back end.” Since then, I have read similar complaints on various social media platforms.

To be certain, I did not accept the complaints that I saw at face value. I engaged an IT security firm to carry out basic investigation into the integrity of the portal. Their report, which is enclosed with this letter for your review, shows clearly that the portal is extremely porous. For transparency, I have also enclosed the curriculum vitae (including contact details) of the IT security expert who authored the report — in case the ECNBA sees a need to interrogate the findings in the report. In plain terms, the ECNBA must know that the portal on which verification for the forthcoming elections is being conducted has serious vulnerabilities which could be exploited by anyone to manipulate the process in favour of or against particular candidates.

C. Opacity regarding the technology and modalities for the elections

Finally, the lack of information regarding the specific modalities for the forthcoming elections is quite disturbing and the ECNBA, most respectfully, needs to address the point publicly now. As of the date of writing this letter, the ECNBA has not informed me (and, I believe, any other candidate) of the technology it intends to use in the elections, how that technology works, who will provide it, how secure it is against possible hacks or manipulation (such as the ones that currently bedevil the NBA portal), etc. We have not seen any demonstration or test-run of the proposed technology and are therefore not able to ascertain that it would work at all, to say nothing of guaranteeing free, fair and transparent elections. Yet, these are legitimate information which both the candidates and the electorate in the forthcoming elections ought to have received and verified long before now.

D. Request for urgent action

I must confess that I did hold off on writing this letter for as long as possible out of deep respect for the leadership and members of the ECNBA and in the hope that remedial actions will have been taken before now. I am aware that some well-meaning members ofthe NBA took the noble initiative of reaching out to the ECNBA in their private capacities regarding these issues. To date, however, no concrete response appears to be forthcoming from the ECNBA despite the imminence of the elections. In the circumstances, silence can no longer be golden.

oLuvvcíde A. Aàpata

I enjoin the ECNBA to be as perturbed about the above-identified deficiencies in the electoral process as I am, and to ensure that they are fully redressed before the elections hold. We must learn from history in order not to be doomed to repeat it. The electoral process and eventual elections in 2018 raised many valid concerns which must be avoided this time around. In 2020, our profession is already stressed by the COVID- 19 pandemic, to say nothing of the perception created—rightly or wrongly—by a certain leaked letter and memo from a very senior member of the Bar. Anything short ofa fully transparent, free, fair, credible and user-friendly electoral process in the forthcoming elections would thoroughly offend the collective sensibilities of the members of the NBA which the ECNBA was constituted to serve. I appeal, therefore, to the individual and collective integrity of the leadership and members of the ECNBA to ensure that the 2020 elections are, and are seen to be, unquestionably credible.

At a time when we are struggling to birth an NBA that would enjoy the confidence of its members, an election process that is less than transparent and credible will reflect poorly on us as an elite professional association.

In this regard, I hereby call on the ECNBA to, as a basic minimum, do the following:

1. Publish a complete and accurate list of eligible voters in the forthcoming elections;
2. To aid number (I) above, release the statement from Access Bank plc which shows members who paid their BPF for 2020 by 31 March 2020;
3. Simplify and secure the verification process, including clarifying the purpose that the verification process is meant to serve, considering that every member can be verified regardless ofBPF payment status; and
4. Disclose the technology to be deployed for the elections (including the service provider(s) and measures that the ECNBA has put in place to make it secure).

Let me add, in respect of request number (4) above, that best electoral practices followed by peer professional associations around the world (and by the NBA Lagos Branch during its elections last year) entail using technology service-providers that specialise in the conduct of electronic voting such as the United States-based Vote-Now.com LLC (https://vote-now.com/0 whilst the associations supply the data of eligible voters. I am of the humble opinion that the NBA can and should adopt this standard in the forthcoming elections for greater transparency and integrity of the voting process.

I thank you for your understanding.

OLUMIDE AKPATA

 WeblTSCure

Cyber Security Consulting, Operational Support, Data & Privacy Company

12 Osho Street Oregun, L nk Road, Opebi, Ikeja Lagos,

Nigeria.

Webitscure@tutamail.com https://www.webitscure.com

Mr Olumide Akpata

TEMPLARS

4th Floor, The Octagon

13A, A. J. Marinho Drive

P.o. Box 72252 Victoria Island

Lagos, Nigeria.

Dear Sir,

Vulnerability Assessment Report of The NBA Portal https://nigerianbar.org.ng

In line with concerns citing reports of users on the NBA portal complaints of user password being changed without their initiating such action, and your request for a vulnerability assessment of the Nigerian Bar Association Portal, we carried out a vulnerability assessment of the web platform with IP 130.61.106.164 and came up with the following deductions:

 That the NBA Portal is built on Drupal 8, an Open Source Content Management Software. The platform is a template edited for the NBA.

That the NBA portal has a vulnerability severity rating between 4 – 7 based on discovered vulnerability exposures.

•3 That the following vulnerabilities where discovered on the platform:

Cross-Site Request Forgery (CSRF) :

Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim’s behalf, like change the victim’s e-mail address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. For most sites, browsers will automatically include with such requests any credentials associated with the site, such as the user’s session cookie, basic auth credentials, IP address, Windows domain credentials, etc.

Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish this from a legitimate user request. In this way, the attacker can make the victim perform actions that they didn’t intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website. Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already. Synonyms: CSRF attacks are also known by a number of other names, including XSRF, “Sea Surf”, Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation.

Note: This attack was exploited few weeks ago on the NBA portal where many users made complaints of their password being changed without their taking such actions personally.

Cross-site tracing (XST) – :

The TRACE verb supported by most web servers can be manipulated to produce a Cross-Site Scripting attack that results in sending arbitrary HTML to the victim’s browser. The TRACE verb is designed to echo a user’s input and intended for debugging or testing a web server. The TRACE verb is not required for web applications to function (web applications and web browsers usually only need the HEAD, GET, and POST verbs). Usually, an attacker will attempt to manipulate an XST vulnerability in order to present malicious HTML as if it came from a legitimate source. Because TRACE echoes input sent to the web server, an attacker will attempt to create a malicious payload and trick a victim into submitting that payload to the server. The payload then appears in the victim’s browser and may be an attempt to steal session ID information, passwords, or other sensitive information. Although the impact of this attack may be high, it is often difficult to successfully exploit. It is related to the more serious Cross-Site Scripting (XSS) vulnerability; however, Cross-Site Tracing attacks the web server whereas XSS attacks the web application.

Cross-site Scripting (XSS) – With A Severity Rating of 6:

The Web application is vulnerable to cross-site scripting (XSS), which allows attackers to take advantage of Web server scripts to inject JavaScript or HTML code that is executed on the client-side browser. This vulnerability is often caused by server-side scripts written in languages such as PHP, ASP, .NET, Perl or Java, which do not adequately filter data sent along with page requests or by vulnerable I-ITTP servers. This malicious code appears to come from your Web application when it runs in the browser of an unsuspecting user.

An attacker can do the following damage with an exploit script:

access other sites inside another user’s private intranet steal another user’s cookie(s) modify another user’s cookie(s) steal another user’s submitted form data

modify another user submitted form data before it reaches the server

submit a form to your Web application on the user’s behalf that modifies passwords or other application data

The two most common methods of attack are:

Having a user click a URL link sent in an e-mail

Having a user click a URL link while visiting a Web site

In both scenarios, the URL will generally link to the trusted site, but will contain additional data that is used to trigger the XSS attack.

Note that SSL connectivity does not protect against this issue.

Our Recommendations

The recommendations we propose here are based on professional beliefs, experience and globally adopted standards.

s/ A Unique Customized Secure Platform Built Specifically For The NBA : An organization with such repute and standard as the Nigerian Bar Association requires a unique software architecture and security framework used to build a customized web portal for all its services.

s/ Remediation of Security Vulnerabilities: This refers to the process by which vulnerabilities identified are resolved and further threats to the platform is prevented.

•v/ Constant Vulnerability Assessment: There should be a set standard procedure for running assessment and penetration test constantly to keep the platform updated in line with global security standards and its defence capable of deterring any such cyber attacks.

Thank you for using our services in securing data and its environment, we pledge to always deliver perfect solutions for solving complex problems.

Yours Sincerely,

Trend Adams Makarios

Director Of Professional Services

WeblTScure.com

TA Makarios

Nigeria linkedin.com/in/tamakl

         writetrend@gmail.com                                                             07068530754

Summary

Software Architecture & Development, Idea Implementation and Strategy, Penetration Testing & Web Platform Security Assessment, A.I Implementation.

I am passionate about solving complex life problems using simple and innovative technology solutions.

Experience

Director of professional Services weblTSCure

May 2020 – Present (2 months +)

A Cyber Security, Data & Privacy Company

WeblTSCure Is a software development and Cyber Security Consulting and Operational Support company, with a reputation for both effective security solutions and the use of innovative technology in the protection of data and its environment.

 Founder

Yanfunyanfun

Aug 2019 – Present (11 months +)

Agric Profit Yanfunyanfun.com is Nigeria’s First farm produce and food products aggregation, promotion, distribution and subscription service which connects all participants, services and products necessary for a complete agriculture value chain with a support service to increase yield and profits. On the platform one can subscribe for farm produce and food products delivered weekly, monthly and quarterly.

Investor / Advisor

Printsout

Jan 2020 – Present (6 months +)

Its Nigeria’s No 1 responsive online print media solution. Enabling small businesses like yours to market themselves effectively. Design and order custom printed marketing materials and other publicity materials.

Gospel Tech Evangelist

CHRIST EMBASSY INTL (BELIEVERS’ LOVEWORLD)

Sep 2019 – Present (10 months +)

 Chief Technology Officer

Quick Leap

May 2018 – Present (2 years 2 months +)

Responsible for overseeing all technical aspects of the company. Using an active and practical approach, the CTO will direct all employees in IT and 10 departments to attain the company’s strategic goals established in the company’s strategic plan.

Represent the technological agenda in staff meetings and when making hiring decisions

Maintain current knowledge of technology landscape and developments

Consolidate company technology platforms and create plans for each

Track, analyze and monitor technology performance metrics

Identify new areas of digital marketing opportunities and create plans to implement them for Quick Leap Global and clients

Take the initiative in thought leadership, innovation and creativity

Spearhead IT projects to increase Quick Leap market reach and improve our USP

Oversee all system design and changes in system architecture

Building Security Frameworks and Designs

Consultant

SOGENTRUSTS

2015 – Present (5 years 6 months +)

Education

Pakistan Institute Of Computer Science & Technical Skills

Master’s degree, Information Technology

2018 – 2019

The Carlos Ill University of Madrid (UC3M)

Associate’s degree, Cyber Security

2018 – 2018

Cyber security showing different aspects of this discipline. Knowledge of all main existing cyber security threats are necessary and how to protect yourself against them.

Cybersecurity is the protection of internet-connected systems, including hardware, software and data, from Cyber attacks.

Havard

Microsoft Professional Certificate, Front End Development

2017 – 2018

Fundamentals, and understanding the most frequently used tools in creating world class web presence and appealing User Interfaces and environments.

Rays Computer Institute of Technology

Associate Degree, Computer and Information Sciences and Support Services

2002 – 2005

Licenses & Certifications

Learning to Teach Online – Linkedln

Project Management Essentials Certified (PMEC) – Management and Strategy Institute

48301040

Advertising on Instagram [2017] – NASBA Center for the Public Trust

#140940

 Cybersecurity for IT Professionals – CompTlA

AVfaaFrxsny3z9RP09jWLfNU573b Cybersecurity for IT Professionals – Linkedln Certification

AVfaaFrXsny3z9RP09jWLfNU573b

 Ethical HackingA+, Network+, and Cloud* – CompTlA

AT8_ri4Rq8xa61HN-5L4RLOBOKLP

Ethical Hacking – Linkedln Certification

AT8_ri4Rq8xa61HN-5L4RLOBOKLP

 Cybersecurity Foundations (2015) – Linkedln Certification

Aaj1800EyQyVGDbq020TmuNGejhL

Advertising on Facebook (2016) – NASBA Center for the Public Trust

I Registry ID: #140940

Advertising Foundations – Project Management Institute

#: 100020003103 Leading with Innovation – Project Management Institute

#: 100020003302

 Understanding and Prioritizing Data Privacy – Linkedln Certification

AWTD-xsduYPHph02B832SoTxn3AR

Critical Thinking – Linkedln Certification

AdpyAcBtyTYt8phATyJd2Lc2pzA9

Leading Globally – Project Management Institute

100020003816

 Leadership In Tech – Linkedln Certification

AWWR71RWa5voTgbZLuwjOOxOMorL

 Executive Leadership – Project Management Institute

Lean Six Sigma White Belt Certified (LSSWB) – Management and Strategy Institute

 Certified Network Security Specialist (CNSS) – ICSI (International CyberSecurity Institute),

UK

Skills

Web Application Security • Software Project Management • Ideas Development • Penetration Testing • Artificial Intelligence (Al) • Machine Learning • Web Applications • Project Management • Strategic Planning • Business Strategy