[CSIS] [Edited] In the name of the law: CND Theft + Canadian Lottery

Day 941, 22:43 Published in Canada Canada by CSIS HQ

EDIT:

Last news: be aware of it

The CSIS informs the population that they should NOT participate to the Canadian Lottery sponsored by the Canadian Lottery Corporation, organization #1886772.
(Note: The name of the organization might change with the time.)

On June 20, that organization wrote an article about a new Canadian Lottery with a ticket cost of 1 gold each. Prices would be houses, foods or weapons.

We have to mention here that 1ronman (see the article above) is the current owner of this organization. It was used in the past for the eCanadian forums lotteries.

If you want to protect your money from another public theft, please do not participate to that sweepstake.

We thank the population for their collaboration!

Edited on June 20, 19:22 @ eRepublik time.



President Dade Pendwyn's release: http://www.erepublik.com/en/article/cnd-theft-exposed-1422683/1/20


You probably already know what happened, and have already read President's release, however, as the CSIS was officially in charge of the investigation, it is of our duty to present you with a report outlining what has happened.

On Saturday June 12, 2010, the Canadian National Defense organization has been accessed, and the money in it has been transferred to an org: the Robotics Constructions. Also, the Weapons Canada company has been sent to this org. We evaluate the total loss to about 10 000CAD

At the time of the theft, only 3 people had access to the org:
1. President Dade Pendwyn
2. Minister of Defense Chucky Norris
3. General of the CAF Ramizeth

At first, 3 possibilities have been considere😛

Possibility 1: The money and guns were stolen by one of the three people who had access: Dade Penwdyn, Chucky Norris, and Ramizeth.
Possibility 2: Somebody hacked directly into the account.
Possibility 3: Somebody hacked into a line of communication to steal the password.

So we tried to eliminate one possibility at a time.

Possibility 1 was the hardest to rule out, the most we were able to do was estimate the exact time of theft, and check whether these people have shown online activity.

Then, two more possibilities were envisage😛
Possibility 4: Maybe a third party had access to one of the suspects' personal accounts. However, this has been ruled out, since the password was not communicated via in game methods.
Possibility 5: A keylogger or tracer has infiltrated their computers and was able to pick up the password. Also ruled out, since full system scans have been run, and nothing was found.

During a talk with President, we were able to find out that the email showed no attempt to reset the password, and in fact, the President was the only one who had access to the email address. The org password was not changed, and the CND remained within the government hand, even though empty.

http://img291.imageshack.us/img291/802/picture1sss.png" />

Then, thinking about hacking, the password was too strong to be cracked using brute force methods.

Then, in Ramizeth's statement, he told us that the password was communicated to him through a Forum PM:

http://img180.imageshack.us/img180/193/picture2aj.png" />

Chucky Norris was also able to confirm that, through an IRC interrogation:
06:39:58: {marcchelala} i need a screenshot of the PM in which dade gave you the new passwords
06:40:05: {marcchelala} ramizeth said that it was sent over forums
06:40:08: {marcchelala} i need to confirm that
06:40:25: {Chucky_Norris} it was

So our only viable lead was to pursue the intercepting possibility.

CSIS Deputy Director jfstpierre, who had some admin rights on the forums, was able to look into that. He found out that only a Backend Admin who has full access to the server terminal, or a Server Hoster, could access the database which stores the PMs being sent on the forums. In that case, it's 1ronman (Backend Admin), or NeoIce (Server Hoster).

So, jfstpierre contacted NeoIce, and he found out that he had proofs incriminating 1ronman of opening around 1000 PMs on the forums, one of which contained the password to the CND.

Here is the PM sent from NeoIce to CSIS Deputy Director:

Ironman logs into the server with a cryptographic key. These are more secure than passwords and are a hold over from when eCanada was originally hosted on my personal web server, thule.neoice.net. in theory, this crypto key also has a password associated with it, making it extremely hard to steal someone's login credentials. the following messages are from the `auth.log` on "collective", the webserver that currently hosts eCanada.


auth.log:Jun 14 15:29:26 collective sshd[4738]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2
auth.log:Jun 14 18:39:42 collective sshd[13834]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2

http://img13.imageshack.us/img13/9520/logincensored.jpg" />

This establishes that this IP address (70.72.xxx.xxx) belongs to Ironman.

All URL requests at eCanada are logged. These messages contain a ton of information. first and foremost, we have the requesting IP address and a timestamp. all times are in PST, which is noted by the "-700", meaning -7 hours from UTC. Next, we have the requested URL. If you're observant, you may have noticed many URL's contain things like "post_id=blah". These are variables which can be encoded within URLS and then processed by the server. Some variables, like "token" or "session_id" are basically junk, but some variables like "msg_id" are very important in determining the content of the page viewed. After the request URL, we have the "return code" and "referring URL". The return code is just a flag to say "this request worked" or "this request failed for this reason." Many people are familiar with "error 404"; those get logged. The "referring url" is the page that the user clicked through from (if any). The last bit of information in the log entry is the "user-agent". This is information on the operating system and web browser used to make the request. This is also unimportant.

Here we see a raw entry in the eCanada.ws access_log. We will break it up according to the classification above.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%
60msg_id%60+%3D+27187&sql_query=SELE CT+%2A+FROM+%60phpbb_privmsgs%60++
ORDER+BY+%60phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1" 200 5685 "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query=
SELECT+%2A+FROM+
%60phpbb_privmsgs%60++ORDER+BY+%60phpbb_ privmsgs%60.%60msg_id%60++DESC" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

IP address: 70.72.xxx.xxx
Date: [14/Jun/2010:15:35:00 -0700]
Requested URL: "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+ 27187
&sql_query=SELECT+%2A+FROM+%60phpbb_ privmsgs%60++ORDER+BY+%60
phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1"
Return Code: 200 5685
Referral URL: "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query
=SELECT+%2A+FROM+%60phpbb_privmsgs%60
++ORDER+BY+%60phpbb_privmsgs%60.%60msg_i d%60++DESC"
User-Agent: "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

So, now that we know how to analyze an access log, lets start by just stripping off the junk, which conveniently, is most of the end.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=
6528bb5fd37b62d3e50edd684df76fe9&pri mary_key=
+%60phpbb_privmsgs%60.%60msg_id%60+%3D+2 7187&sql_query=SELECT+%2A+FROM+%60ph pbb_privmsgs%60++ORDER+BY+%60phpbb_privm sgs%60.%60msg_id%60
++DESC&goto=sql.php HTTP/1.1"

Now we have just the IP, date and request. We can trim the request a bit too, since "token" is garbage and isnt important either. "HTTP/1.1" is just telling us what kind of request it was, so we'll chuck that out too.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs%60.
%60msg_id%60+%3D+27187&sql_query=SEL ECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60
msg_id%60++DESC&goto=sql.php"

If you know anything about programming databases, a "primary key" is generally the piece of information that uniquely identifies an item. if you have a table of users, it's very likely that they will have a "primary key" of their user ID number. since we know we're looking at messages, we can assume that the primary key is the message. The "sql_query" doesnt contain any useful information, but it does look like the kind of SQL query someone (or some software) would make if they were browsing phpbb_privmsgs.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs
%60.%60msg_id%60+%3D+27187

This is really the meat of the request. URLs convert certain characters for safety reasons in the format %##. %20 is the most common, referring to a space. For readability, let's clean this up really quickly. (reference😛 http://www.december.com/html/spec/esccodes.html)

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+`phpbb_privmsgs`.`msg_id`+=+27187
I havent covered the most basic parts yet! phpMyAdmin is a web-based control panel for MySQL databases like the one eCanada runs on. "tbl_change.php" is a page that opens a single object for viewing/editing. everything after the question mark is information tbl_change.php uses to determine what object its opening. Here we see it looked in database "ecanada", table "phpbb_privmsgs" and msg_id "27187". This message is the sting message which was set up with the fake password.

http://img638.imageshack.us/img638/3213/june14censored.jpg" />

http://img215.imageshack.us/img215/6136/msg27187censored.jpg" />

ecanada.ws_access_log.1:70.72.xxx.xxx - - [11/Jun/2010:1😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=7974c6448e7c7bfc3ea422714e465d5a&primary_key=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+26347&sql_query=SELECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60msg_id%60++
DESC&goto=sql.php HTTP/1.1" 200 5567 "http://ecanada.ws/phpmyadmin/sql.php"
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"
Here we see the raw log entry for someone viewing message 26347. Lets clean it up quickly.
70.72.xxx.xxx - - [11/Jun/2010:1😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=`phpbb_privmsgs`.`msg_id`+=+26347


http://img121.imageshack.us/img121/5740/june11thcensored.jpg" />

This msg_id corresponds to the password for Canadian National Defense. It was viewed just before the account started sending out the messages trying to get more money into the org for theft.

http://img267.imageshack.us/img267/2847/msg26347censored.jpg" />



Ironman viewed the password for CND message shortly before the attack on CND took place. a subsequent sting operation by the Prime Minister confirmed Ironman's interest in messages regarding passwords for the executive branch. It is reasonable to conclude that Ironman used his access to gain access to the CND account and commence the publicly known attack.
All of the raw logs used in this investigation are available upon request, due to their large filesize and potential to contain "sensitive" information.

NeoIce


This is how the CSIS and later the Executive, was able to find out that 1ronman was behind the Canadian National Defense theft.

On a side note, in out monitoring of the thief org during this investigation, all the CAD and Gold has been transfered to an unknown location through monetary market (Foreign Currencies such as BAM BOM and FRF have appeared), and most of the weapons have been sold.

However, during our investigation, we have also pursued some leads that might point out that 1ronman might have had some accomplices, which either participated in the crime, or knew about it and didn't report; or else, there may be multis involved.
This is why, I don't consider this case closed, and the CSIS is continuing investigation, to get to the end of this matter. Until we get hard evidence or proof that there were accomplices or multis, we won't release any further evidence.

For now, the forums have been secured and moved to another domain: http://ecanada.cc/ and 1ronman has been stripped of his admin rights.

So: In the powers conferred to me by the CSIS Act, I arrest holder of canadian citizenship 1ronman, for violation of the privacy policy, abuse of admin rights on the eCanadian forums, and direct involvement in the theft of the Canadian National Defense governmental org through illegal access.

A trial will be held at Supreme Court shortly.

Thank you,
marcchelala - CSIS Director


PS: Do not buy guns from Ultimate Weaponry on the market, or any org which offers a very big number of Q1 weapons, for a very low price.