CND Theft Exposed

Day 941, 17:08 Published in Canada Canada by Dade Pendwyn
http://img139.imageshack.us/img139/6484/34700716.jpg" />
Canadian Conduit - Presidential Address #5

I said the eye was watching. I wasn't kidding...

The Executive and CSIS both conducted independent investigations of the theft, and we have both arrived at the same conclusion despite not sharing information until now. This article represents the work of the Executive - you can expect a report from the CSIS soon.

***Important Information - Please Read***

1) www.ecanada.cc is the new location of the forums - they are the exact same forums, just a different address.

2) Proof (which will be outlined in this article) has shown 1ronman is the CND infiltrator.

3) In light of this abuse of database privelege, as well as this atrocious theft, 1ronman is being removed from forum and irc admin.

4) Since 1ronman owns the ecanada.ws domain name, the forums will be moved to ecanada.cc (don't worry, all the forums remain - 1ronman owned the domain only, not the server).

5) All government organizations are secure.

http://i47.tinypic.com/2meqsg3.gif" />

It is with great sadness that I announce that a prominent eCanadian, and somebody I have considered a longtime friend (despite minor bumps in the road), is the Canadian National Defense thief. The CND password was the only one passed over the forums, and upon thorough investigation of the forum server log (which we were given access to by the owner of the server) we can prove the 1ronman snuck into the database and viewed the PM containing the CND password; just hours later, the CND was compromised. Everything can be proven with logs and screenshots.

http://i47.tinypic.com/2meqsg3.gif" />

TL😉R Version of Evidence Implicating 1ronman

Server Evidence

1) On June 11th at 1😇7am, -0700, 1ronman goes into the forum database and views the message "NEW CND PASSWORD", msg_id 26347, which was sent by Chucky Norris to Dade Pendwyn, and contained the password to the Canadian National Defense organization.

2) Hours later the Canadian National Defense organization began sending out PM's pretending to be Chucky Norris asking for the passwords to Supply Branches of the CAF. Later messages were sent from the CND asking for money that had been recently dispursed from the CND to be returned. The thief was trying to get as much funding into the org as possible before making the theft.

3) Not long after these messages were sent out, the thief likely realized he could not wait any longer for funds to return in case Supply Officers saw through his fake messages. On June 12th he donated the funds to Robotic Constructions, as well as sold himself the company containing some of the CAF's Q1 Weapon stockpile.

4) Knowing that the Canadian National Defense password was the only one to be passed via forum PM, Dade Pendwyn contacts NeoIce, owner of the forum server, to see if there was any record of who accessed the message in question. After discovering that 1ronman accessed the CND password message in the database just prior to the CND becoming compromised, he decided to set up a "sting" message to be doubly certain that the thief is 1ronman.

5) On June 14th at 12:00 PST, Dade has Minister of Finance SirDeLaShaunRon Smith send a forum PM to Dade containing a fake new password to the Revenue Canada organization. At around 14:00 PST, in a private conversation, Dade informs 1ronman he believes a hacked erep account was the reason for the compromise, and that from now on he would only send passwords on the forums. 1ronman agreed. Dade pointed out that trying to get passwords from ministers was like pulling teeth, and so far he had only managed to get a new one for Revenue Canada. At 15:35 PST 1ronman logged into the database and viewed the message containing the fake Revenue Canada password. He was the only person aside from Dade and Shaun (neither of whom have database access - 1ronman was the only one besides the server owner who did) who knew about the message. This was the "sting" message, and 1ronman bit.

Possible Motives

For those of you who question why 1ronman would do something like this, as we all first did, consider the these motives.

1) 1ronman informed me prior to his announcement that he greatly wishes to become the first V2 President of eCanada, which he anticipates will be coming in July. Creating a scandal in the current administration means it's a lot less likely that there would be competition from the current CP in the upcoming elections.

2) He told me in a private conversation (which I can not post here as it is against eRepublik rules) that he wanted more money for V2 - this was his motivation for buying bonds in such a large quantity.

3) His organization listed on ERX has reported losses, which means either that his companies are losing money or that he's lying about the losses to avoid paying dividends - either way, it makes a theft of this sort feasible.

http://i47.tinypic.com/2meqsg3.gif" />

The following is the server log evidence, as explained by NeoIce - 1ronman's ip address has been censored in this version of the article.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Ironman logs into the server with a cryptographic key. These are more secure than passwords and are a hold over from when eCanada was originally hosted on my personal web server, thule.neoice.net. in theory, this crypto key also has a password associated with it, making it extremely hard to steal someone's login credentials. the following messages are from the `auth.log` on "collective", the webserver that currently hosts eCanada.


auth.log:Jun 14 15:29:26 collective sshd[4738]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2
auth.log:Jun 14 18:39:42 collective sshd[13834]: Accepted publickey for ecanada from 70.72.xxx.xxx port yyyyy ssh2

http://img13.imageshack.us/img13/9520/logincensored.jpg" />

This establishes that this IP address (70.72.xxx.xxx) belongs to Ironman.

All URL requests at eCanada are logged. These messages contain a ton of information. first and foremost, we have the requesting IP address and a timestamp. all times are in PST, which is noted by the "-700", meaning -7 hours from UTC. Next, we have the requested URL. If you're observant, you may have noticed many URL's contain things like "post_id=blah". These are variables which can be encoded within URLS and then processed by the server. Some variables, like "token" or "session_id" are basically junk, but some variables like "msg_id" are very important in determining the content of the page viewed. After the request URL, we have the "return code" and "referring URL". The return code is just a flag to say "this request worked" or "this request failed for this reason." Many people are familiar with "error 404"; those get logged. The "referring url" is the page that the user clicked through from (if any). The last bit of information in the log entry is the "user-agent". This is information on the operating system and web browser used to make the request. This is also unimportant.

Here we see a raw entry in the eCanada.ws access_log. We will break it up according to the classification above.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%
60msg_id%60+%3D+27187&sql_query=SELE CT+%2A+FROM+%60phpbb_privmsgs%60++
ORDER+BY+%60phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1" 200 5685 "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query=
SELECT+%2A+FROM+
%60phpbb_privmsgs%60++ORDER+BY+%60phpbb_ privmsgs%60.%60msg_id%60++DESC" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

IP address: 70.72.xxx.xxx
Date: [14/Jun/2010:15:35:00 -0700]
Requested URL: "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&primary_key
=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+ 27187
&sql_query=SELECT+%2A+FROM+%60phpbb_ privmsgs%60++ORDER+BY+%60
phpbb_privmsgs%60.%60msg_id%60++DESC&goto=sql.php HTTP/1.1"
Return Code: 200 5685
Referral URL: "http://ecanada.ws/phpmyadmin/sql.php?db=ecanada&table=phpbb_privmsgs&token=6528bb5fd37b62d3e50edd684df76fe9&sql_query
=SELECT+%2A+FROM+%60phpbb_privmsgs%60
++ORDER+BY+%60phpbb_privmsgs%60.%60msg_i d%60++DESC"
User-Agent: "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)"

So, now that we know how to analyze an access log, lets start by just stripping off the junk, which conveniently, is most of the end.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=
6528bb5fd37b62d3e50edd684df76fe9&pri mary_key=
+%60phpbb_privmsgs%60.%60msg_id%60+%3D+2 7187&sql_query=SELECT+%2A+FROM+%60ph pbb_privmsgs%60++ORDER+BY+%60phpbb_privm sgs%60.%60msg_id%60
++DESC&goto=sql.php HTTP/1.1"

Now we have just the IP, date and request. We can trim the request a bit too, since "token" is garbage and isnt important either. "HTTP/1.1" is just telling us what kind of request it was, so we'll chuck that out too.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs%60.
%60msg_id%60+%3D+27187&sql_query=SEL ECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60
msg_id%60++DESC&goto=sql.php"

If you know anything about programming databases, a "primary key" is generally the piece of information that uniquely identifies an item. if you have a table of users, it's very likely that they will have a "primary key" of their user ID number. since we know we're looking at messages, we can assume that the primary key is the message. The "sql_query" doesnt contain any useful information, but it does look like the kind of SQL query someone (or some software) would make if they were browsing phpbb_privmsgs.

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+%60phpbb_privmsgs
%60.%60msg_id%60+%3D+27187

This is really the meat of the request. URLs convert certain characters for safety reasons in the format %##. %20 is the most common, referring to a space. For readability, let's clean this up really quickly. (reference😛 http://www.december.com/html/spec/esccodes.html)

70.72.xxx.xxx - - [14/Jun/2010:15:35:00 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=+`phpbb_privmsgs`.`msg_id`+=+27187
I havent covered the most basic parts yet! phpMyAdmin is a web-based control panel for MySQL databases like the one eCanada runs on. "tbl_change.php" is a page that opens a single object for viewing/editing. everything after the question mark is information tbl_change.php uses to determine what object its opening. Here we see it looked in database "ecanada", table "phpbb_privmsgs" and msg_id "27187". This message is the sting message which was set up with the fake password.

http://img638.imageshack.us/img638/3213/june14censored.jpg" />



ecanada.ws_access_log.1:70.72.xxx.xxx - - [11/Jun/2010:1😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&token=7974c6448e7c7bfc3ea422714e465d5a&primary_key=+%60phpbb_privmsgs%60.%60msg_id%60+%3D+26347&sql_query=SELECT+%2A+
FROM+%60phpbb_privmsgs%60++ORDER+BY+%60p hpbb_privmsgs%60.%60msg_id%60++
DESC&goto=sql.php HTTP/1.1" 200 5567 "http://ecanada.ws/phpmyadmin/sql.php"
"Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401
Firefox/3.6.3 (.NET CLR 3.5.30729)"
Here we see the raw log entry for someone viewing message 26347. Lets clean it up quickly.
70.72.xxx.xxx - - [11/Jun/2010:1😇7:34 -0700] "GET /phpmyadmin/tbl_change.php?db=ecanada&table=phpbb_privmsgs&primary_key=`phpbb_privmsgs`.`msg_id`+=+26347

http://img121.imageshack.us/img121/5740/june11thcensored.jpg" />

This msg_id corresponds to the password for Canadian National Defense. It was viewed just before the account started sending out the messages trying to get more money into the org for theft.



Ironman viewed the password for CND message shortly before the attack on CND took place. a subsequent sting operation by the Prime Minister confirmed Ironman's interest in messages regarding passwords for the executive branch. It is reasonable to conclude that Ironman used his access to gain access to the CND account and commence the publicly known attack.
All of the raw logs used in this investigation are available upon request, due to their large filesize and potential to contain "sensitive" information.

NeoIce
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

***All screenshots, server logs, and conversations are posted with the permission of NeoIce***

The new forums will be at ecanada.cc - please bookmark this. No old information from the forums should be lost, but players who have been inactive may be cleaned up, and NeoIce, is a neutral third party, will now be the new root admin.

Thank you eCanada for your patience in this investigation. It feels very liberating to have discovered who is responsible, even though it was a longtime eCanadian and somebody I had thought I could trust. Nonetheless, I'm glad the truth has come out.

Let's all hope the admins see the light and return the guns and CAD 1ronman has taken and give it back to the eCanadian people.

http://img217.imageshack.us/img217/3982/dadependwyn.jpg">