Cereus poker security alerts

Status
Not open for further replies.
c9h13no3

c9h13no3

Is drawing with AK
Silver Level
Joined
Jan 2, 2007
Total posts
8,819
Chips
0
skoldpadda

skoldpadda

Caveman Eye Surgeon
Bronze Level
Joined
Mar 20, 2007
Total posts
3,769
Awards
2
Chips
0
More reason I would never play AP or UB. Take your money off of those sites and put it someplace more secure.
 
arahel_jazz

arahel_jazz

Unbalanced and Committed
Silver Level
Joined
Apr 6, 2007
Total posts
6,764
Chips
0
This is why I only play on Full Tilt (uses TLS) and pokerstars (uses sslv3).
There is no excuse for a major vendor not to use industry grade encryption.

By the way, now that this is "in the wild" as it is commonly said, attacks will increase against the site.
 
Juniorsdaddy

Juniorsdaddy

Visionary
Silver Level
Joined
Feb 3, 2009
Total posts
746
Chips
0
Glad to be playing there with free money. I keep on debating whether to deposit or not, but stuff like this keeps making it harder for me to justify it.
 
Stick66

Stick66

Legend
Silver Level
Joined
Nov 10, 2005
Total posts
6,374
Chips
0
Saw this article today and even though I don't play there I thought I would forward this article on


http://www.pokertableratings.com/blog/2010/05/ptr-security-alert-cereus-poker-network/
I watched the video and the security flaw has to do with local interception of data, meaning someone nearby with a rare amount of knowledge could possibly intercept data sent to your computer though your wireless connection or somehow wired into your wired connection.

The demonstration shows the holecards data sent to your computer, but how could someone near enough to you use those against you? I couldn't imagine anyone being less than a mile away, wired or wireless, getting your holecards and playing against you (or relaying them to someone else via phone voice or IM). That would be a ton of effort and planning to attack just one specific player. Some crook on the other side of the world couldn't do this from his computer.

BUT... If your password can be stolen in this manner, then I could see this being somewhat of an issue. But it would have to be what amounts to an "inside job". The thief would have to 1) know about online poker, 2) know you play online poker, 3) know you play on Cereus, AND 4) be waiting close enough to your network for you to log on or have some sort of unmanned device set up to record your log on info. All quite far-fetched imo.

Whatever the degree of worry on this, the fact is that this hole has JUST NOW been discovered. How many other security holes in the Cereus network haven't been discovered yet? Not looking good for the AP/UB folks right now imo.

Opinions?
 
IcyBlueAce

IcyBlueAce

Visionary
Platinum Level
Joined
Nov 3, 2009
Total posts
790
Chips
0
Hi Dameon,

We really truly appreciate the email you have sent us regarding the vulnerability in our encryption. I just became aware of your article 30 minutes ago and I have read your article and watched the video. I think you have done a great thing for the poker community by emailing us and letting the community know about it. Thank you for that.

I would also like to express how seriously we take this issue. I’m expecting to have a solution in place in a matter of hours and I would really like to discuss engaging your company to help us test the solution, if your company provides such services.

I would greatly appreciate it, if you could paste the contents of this email on your website, so your followers are assured that we are aware of the issue and we are working diligently to address it.

I would also like to emphasize to your readers that this issue would require someone to have access to their local network and also have the technical capabilities to crack our encryption in order to gain access to the player data and see the clear text like you did in your demonstration.

Again, I greatly appreciate you notifying us and the poker community and we will investigate this fully and completely and fix the problem immediately.

Regards,

Paul Leggett
COO, Tokwiro Enterprises

:D :rolleyes:
 
LombardiStix

LombardiStix

Rock Star
Silver Level
Joined
Jul 24, 2007
Total posts
334
Chips
0
Wow. I've heard about weakness, but that demo was creepy. I realize there are limits to the exploitation... but the limits should be ZERO. With the amount of currency they pull in, you think #1 priority would be to maintain credibility among users. This aint the way to go. Hmmm. Good thing I don't have funds there. lol

Flabbergasted Stix
 
slycbnew

slycbnew

Cardschat Elite
Silver Level
Joined
Aug 8, 2008
Total posts
2,876
Chips
0
Kudos to PTR.

I'm not up on industry standard security encryption etc., but this is beyond idiotic if Cereus, which was re-built after the potripper scandal to ensure the community that it's safe to play UB and AP, used a known-to-be weak form of encryption. Truly sad.
 
T

The Dr

Enthusiast
Silver Level
Joined
May 7, 2010
Total posts
36
Chips
0
Ultimate Bet/AP massive security flaw/UB ceo releases a statement

This should set the story up perfectly:

"One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network. For those of you not familiar with the issue, PTR was able to crack our local encryption method."

from yours truly Mr. COO(Chief Operating Officer) Paul Leggett

I am really shocked they have let something so serious happen again.

Their security systems have been set up in a way where it would be very easy to hack. They use a very weak encryption code therefore making it very easy for hackers to take over your accounts or be able to see hole cards.

Every online site uses a standard industry SSL encryption, these guys designed their own. Now tell me how highly trained computer professionals design such a thing but dont understand how vulnerable it is? It's impossible, they would have to know.

So what is the reason for this? Well I dont know the answer but I can assume a thing or two. Maybe it's paranoi but if it was designed this way...was it for their own use to abuse the weakness? Meaning, are the employees/owners using gimmick accounts from different ip addresses and doing another potripper scandal? I just don't understand how this could happen. Especially after their other security issues.

You can read how ptr just recently discovered these flaws, they even did a short video to help explain and show the viewers what is going on.

http://www.pokertableratings.com/blog/2010/05/ptr-security-alert-cereus-poker-network/

Also, the coo has just recently released a statement that makes zero sense at all. It would be absolutley impossible for them to have everything sorted out within the couple hours is what the coo is promising. To add to this, what he says basically contradicts what the investigators have found. You can read his statement here. http://blog.ultimatebet.com/
 
F Paulsson

F Paulsson

euro love
Silver Level
Joined
Aug 24, 2005
Total posts
5,799
Awards
1
Chips
1
To be the devil's advocate, sort of, for awhile: Highly trained computer professionals come in different flavors. I fit the description, but I wouldn't know how to design a secure encryption system. If my boss told me to do it, I'd tell him I didn't know how. Here's where it might get dicey: If he insisted and asked me why the hell he hired me if I can't even do that, I might consider trying to put something together. Somewhere along the lines of communication the phrase "just make it work" gets thrown around once and suddenly quality is less of an issue than delivery, and I want to keep my job. So I do it.

My boss wouldn't do that, but I have no problem thinking of engineers who would respond in the same way I would if their jobs depended on it. Designing a secure system is far from trivial; I work with some of the best programmers I've met and despite the fact that we do work with secure transmissions (DVB descrambling and encrypted bootloaders mostly), even our primary security guy wouldn't be qualified to design a system like this. You need an expert, but that brings us back to the "why didn't they buy a standard solution" question.

All I'm really saying is that programmers can do a shitty job of this without there being malicious intents behind it. The possibility exists, of course, but I'm a firm believer in incompetence being far more common than conspiracies.
 
slycbnew

slycbnew

Cardschat Elite
Silver Level
Joined
Aug 8, 2008
Total posts
2,876
Chips
0
It's funny, I saw mentioned on another forum that it'd be really scary if UB/AP were able to implement a fix in a couple of hours, since that would mean they were aware of the issue (i.e., it's too complicated to simply put in a quick fix, so if they were able to fix it quickly...).

I agree that it's much more likely that this is incompetence rather than deliberate. Unfortunately, I find that just as, if not more, scary. The security on these sites ought to as good as a bank's security, given the amount of electronic money they're working with.

I'm personally annoyed - I'm aware the games are a lot softer on Cereus than on the sites I play (PS/FT), and was literally about to move a chunk of money to AP this weekend to take advantage of that. So much for that idea.

/rant
 
BelgoSuisse

BelgoSuisse

Legend
Silver Level
Joined
Nov 26, 2007
Total posts
9,218
Chips
0
All I'm really saying is that programmers can do a shitty job of this without there being malicious intents behind it. The possibility exists, of course, but I'm a firm believer in incompetence being far more common than conspiracies.

Sure you should never underestimate how stupid and incompetent people are. But obviously you should also never underestimate how greedy they can be.

The thing about this security leak is that in order to exploit it you need to snoop the network traffic between the client and the server. And the very best place to do that is obviously when you're physically close to the servers... i.e. when you're a cereus employee. Given their past history, i'm not convinced that this is just incompetence.
 
F Paulsson

F Paulsson

euro love
Silver Level
Joined
Aug 24, 2005
Total posts
5,799
Awards
1
Chips
1
I'm not precisely convinced of this just being a case of poor programming either - like I said, just playing devil's advocate in what amounts to an insanity plea.
 
IcyBlueAce

IcyBlueAce

Visionary
Platinum Level
Joined
Nov 3, 2009
Total posts
790
Chips
0
People would flame on me when I told them I would play on UB, but after this, no more chances.

I'll never play on UB/AP ever again.

This was really out of line for a company dealing with so much money.
 
C

ComplexPlaya

Legend
Silver Level
Joined
Apr 14, 2008
Total posts
1,347
Chips
0
I watched the video and the security flaw has to do with local interception of data, meaning someone nearby with a rare amount of knowledge could possibly intercept data sent to your computer though your wireless connection or somehow wired into your wired connection.

The demonstration shows the holecards data sent to your computer, but how could someone near enough to you use those against you? I couldn't imagine anyone being less than a mile away, wired or wireless, getting your holecards and playing against you (or relaying them to someone else via phone voice or IM). That would be a ton of effort and planning to attack just one specific player. Some crook on the other side of the world couldn't do this from his computer.

BUT... If your password can be stolen in this manner, then I could see this being somewhat of an issue. But it would have to be what amounts to an "inside job". The thief would have to 1) know about online poker, 2) know you play online poker, 3) know you play on Cereus, AND 4) be waiting close enough to your network for you to log on or have some sort of unmanned device set up to record your log on info. All quite far-fetched imo.

Whatever the degree of worry on this, the fact is that this hole has JUST NOW been discovered. How many other security holes in the Cereus network haven't been discovered yet? Not looking good for the Absolute Poker/Ultimatebet folks right now imo.

Opinions?

Are you kidding me? Please, tell me you're kidding me!

This is such a juicy thing the kind that could set you up for life in a short time that people would jump through 1000 hoops to get it.

As for "rare knowledge" I wouldn't know how but I think any network professional can use a packet sniffer successfully lol. Yes you can steal login info as well since it's hardly encrypted.

I don't think it would be that hard to find people that use absolute, from the PC I can see scanning for open cereus ports, whichever they are. This should work only on PC's with their own IP and not behind a router, I don't know I guess it depends on the router's firewall, but you might get some IP's if you search the area/country with most cereus users.

Easier still, take a look at who cereus big winners are, there's usually info on them such as names etc. from PTR or forums/whatever, then just find their addresses.

I wonder what the techies working @ Cereus all have as side jobs? Anyone care to guess?

Their reply to PTR was so sickening too, and you know the worst part of it, they won't be too affected - alot of people still play there even after the previously proven cheating. People just won't get info on this, and alot that will know will still play there, I bet.

Someone please hack cereus to get the e-mails of their users, send everyone such an e-mail lol
 
bhood1776

bhood1776

Rock Star
Silver Level
Joined
Feb 17, 2010
Total posts
182
Chips
0
I only play on UB right now and to be honest this does bother me at all. The PTR techie even said someone would have to hack your network. I've gotten to the point wher I no longer use public WiFi for several reasons. When I play there I'm always using a directly wired network so I don't see how anyone could see my cards.
 
WVHillbilly

WVHillbilly

Legend
Silver Level
Joined
Nov 7, 2007
Total posts
22,973
Chips
0
I only play on Ultimatebet right now and to be honest this does bother me at all. The PTR techie even said someone would have to hack your network. I've gotten to the point wher I no longer use public WiFi for several reasons. When I play there I'm always using a directly wired network so I don't see how anyone could see my cards.

Or theirs. Or a router between your network and theirs.

No ****ing way I'd play there until this is resolved and not 100% I'd ever play there again even after it is. I currently have no account at either site BTW.
 
PC69

PC69

Legend
Silver Level
Joined
Jan 6, 2008
Total posts
7,629
Chips
0
Ive said it time and time and time again.. Ultimate Bet is the worst.. Terrible terrible site. Wouldnt shed a tear if Cardschat completely stopped all the tourneys they host over there.
 
polingpower

polingpower

Legend
Silver Level
Joined
Feb 22, 2006
Total posts
1,054
Chips
0
i've thought about opening account there also ...
i guess not now .....
 
PC69

PC69

Legend
Silver Level
Joined
Jan 6, 2008
Total posts
7,629
Chips
0
Had to ? them on there blog about why just now there "providing the best security money can buy" when they should have been providing that all along and especially after all the crap they were involved with previously.. What a joke that site is and the people who run it.
 
bhood1776

bhood1776

Rock Star
Silver Level
Joined
Feb 17, 2010
Total posts
182
Chips
0
I guess UB found a quick fix. I am playing a tourney right now on there and they just put up a banner saying all cash table games will be down for the next 12 hours for "scheduled maintainence".
 
W

wetyeti

Rock Star
Silver Level
Joined
Jan 3, 2010
Total posts
229
Chips
0
Wow, I was just about to move some funds over to AP or Black Chip today. This is just pathetic. I have to agree with Belgo, given UB's history, how can I expect this to be a total accident?
 
arahel_jazz

arahel_jazz

Unbalanced and Committed
Silver Level
Joined
Apr 6, 2007
Total posts
6,764
Chips
0
Actually the funniest thing (to me) about all of this, is that a large majority of users of the Cereus network probably have weaker security controls on their local systems than this silly discussion of MD5 vs. higher level security in the transport.

In plain words: Most people are at higher risk of having their personal information hacked in their own systems than this being exploited for profit. Yet, they cry "foul" when stuff like this is exposed.
 
Status
Not open for further replies.
Top