Cereus poker security alerts

[Poker Orifice]

All of this puts me in a bit of a predicament. It's obvious to me now that I should not be playing at Ultimatebet anymore. But, I have a decent size bankroll there built up from freeroll winnings. So, in order to get out, I am going to have to make a deposit. I really don't want to let this money go, but a deposit is going to lead to further support of the site, at least for a little while.

sendmychips site, check it out. You can make transfers on there for a 5%fee. UB is one of the sites they deal with.

Can't Joe just SSS his way up to a quick grand?

 

[The Dr]

What exactly are you a Dr of? please show the votes of players that want Ultimatebet shut down, alternatively stfu. I feel the man does complain too much, do u work for PS or FT ? I too can offer conspiracy theories.

How about you act like a normal human being when debating/discussing issues.

 

[The Dr]

Their cashout policies suck so bad. The minimum withdrawal is $100 and they charge you $8 to mail you a check. I have $63.50 in mine and Joe has $103.82 in his. So he doesn't have enough to withdraw $100 and pay the $8 fee and I don't have enough to withdraw at all. I can transfer to him - but I have to leave $25 in my account.

So I think I will play the remaining CC games this month and try to get my balance high enough to send him $10 and leave $108 in mine to withdraw. Otherwise I will transfer all but $25 to him and I guess I will play enough sng's to either lose it or increase it to $108. Once that is done we are both done with the site no later than the end of this month. It would be today if they weren't trying to squeeze every dollar they can out of us.

Wow that is unbelievable. I had no idea the cashout restrictions were so tough. That annoys me even more.

 

[bhood1776]

How about you act like a normal human being when debating/discussing issues.

You don't have much room to talk. You came on this forum calling people a disgrace for playing there. So if you want something, you have to give it out as well.

 

[bhood1776]

Wow that is unbelievable. I had no idea the cashout restrictions were so tough. That annoys me even more.

The only difference between this policy and FT is the $8 fee. Min withdraw by check on FT is also $100. Being a mod on a poker forum I'm surprised you don't know this.

 

[Debi]

The only difference between this policy and FT is the $8 fee. Min withdraw by check on FT is also $100. Being a mod on a poker forum I'm surprised you don't know this.

The $8 fee is enough of a difference on it's own imo. FT does not require you to leave a $25 balance in your account when you transfer funds either - so that is another difference.

Also - I am an admin on a poker forum and didn't know that the minimum withdrawal amount at FT was $100.

I have never tried to withdraw less than $200-300 there though.

 

[Dorkus Malorkus]

Mod who has no idea what min cashouts on FT/UB/pretty much anywhere are reporting in. *salute*

 

[The Dr]

You don't have much room to talk. You came on this forum calling people a disgrace for playing there. So if you want something, you have to give it out as well.

Not that I really feel like responding to such posters, which almost seems like a gimmick account of pothole's but if people cannot handle being called out for playing on a shady site like UB than maybe this isnt the place for you. If you cannot tell the difference between my posting and his.. well there isnt much hope for this conversation, is there? I dont see myself posting about rigged sites and bothering members because they were online for 10 minutes and didnt respond to his nonsense 'what exactly are you a doctor of' Furthermore going on to say I am a shill from another site.

Now if you have something to discuss other than for standing up for other posters just for sake of it, please by all means speak up.

As for your second post, I don't think I have ever cashed out via check from fulltilt or UB. So if they are both the same (which they are not because an $8 fee is quite a difference) why should I know because I am a mod? Also, I believe FT doesnt require you to leave $25 in your account.

So again, please add something to the topic or be on your way. The thread getting derailed is rather annoying for the readers. Now if either of you two have questions or concerns in regards to my post about UB, ask and I will be more than happy to converse with you. If it is more of the above, I will no longer entertain you.

 

[bhood1776]

The $8 fee is enough of a difference on it's own imo. FT does not require you to leave a $25 balance in your account when you transfer funds either - so that is another difference.

Also - I am an admin on a poker forum and didn't know that the minimum withdrawal amount at FT was $100.

I have never tried to withdraw less than $200-300 there though.

Yeah I agree the $8 sucks and makes FT better in that regard. The Dr. just made it sound like the difference was night and day.

 

[The Dr]

Mod who has no idea what min cashouts on FT/Ultimatebet/pretty much anywhere are reporting in. *salute*

I suggest the bigger issue is the lack of management controls, which is probably a generous way of putting it. This company is potentially putting the online poker industry at risk by allowing scandals to fester - the first being a major scandal that has fed every conspiracy theory about online poker, and this more recent one demonstrating that a prominent online poker site is not using the highest security protocols available. Given the amount of money being moved around, there is no possible justification for not having banking industry standards implemented imo.

In regard to PTR and their motivations - you could certainly question their motivations, but I don't understand what difference that makes. If a criminal demonstrates that another party is in the wrong, you certainly don't trust the criminal per se, but that's not relevant to whether or not the other party is in the wrong.

Not suggesting that PTR is in the wrong at all here, and they are probably doing this out of pure self-interest - after all, it's very much in their interest to have a strong online poker industry, since their site is pretty worthless without that.

Now, what does this have to do w the average microstakes player? Well, it'd be awfully convenient (if you agree that it's bad for the industry to have a site managed incompetently at best, fraudulently at worst) if the average player recognized that there are options available and have them choose to play at better managed sites, and have the industry self-correct as a result, instead of getting regulated out of existence.

You may not like the tone of the posts. fwiw, personally, I don't like the tone - I don't think The Dr will care about that, nor do I necessarily think he should care - but the message imo is correct. I hope people don't get hung up on the tone of the message, and actually consider the content of the message, which I think is worth considering (and ldo I personally agree with).

The bolded is another good point. online poker already has a watchful eye on it by governments around the world. By this site continuing with so many security issues/scandals, all it does is cause unneeded pressure on the online industry.

 

[Paj1975]

when i got into poker in 2007 i played the .nets ft, ub, ps just play money and didnt have a clue about the ub scandal. started playing for real when i had a $3 deposit by pokerstars into my account and think i had a similar deal at ub (something like that). i pretty much installed ub and uninstalled then reinstalled in 2010, i was aware of the scandal from the mid 2000's but deposited and they matched my deposit. lost interest in the site and played black jack and i have 3 cents left... reinstalled to play the freerolls and uninstalled it again and decided to do the same with absolute to do the freerolls and i found out about the latest by viewing liv boeree's blog and took a look at the COO blog and found out about this latest thing and decided to cut ties with ub/ap. i wasn't depositing again anyways. am i going to play their again, most likely not, did this thread help my decision... probably a bit. nobody wants to be told what they should and should not do. all one can do is present their opinion and if it is good advice hope that others take it into consideration. if they want to continue to play at ub it's their choice and it should be respected.

 

[kidkvno1]

Wait,,,, log into your router's your systems are getting attacked every 15 mins... They are hacking attempts, your ISP's won't block them.
So UB does not even phase right now...

 

[PC69]

Wait,,,, log into your router's you systems are getting attacked every 15 mins... They are hacking attempts, your ISP's won't block them.
So Ultimatebet does not even phase right now...

What?

 

[Juniorsdaddy]

sendmychips site, check it out. You can make transfers on there for a 5%fee. Ultimatebet is one of the sites they deal with.

Thanks for the suggestion. I tried it, but I was refused. It states that anyone with an account history less than 3 months will be refused. Since I have never deposited, I probably don't have any account history.

 

[Poof]

Thanks for the suggestion. I tried it, but I was refused. It states that anyone with an account history less than 3 months will be refused. Since I have never deposited, I probably don't have any account history.

Maybe you have to have an account there for 3 mths?

 

[kidkvno1]

What?

221.192.199.46
222.215.230.49
IP numbers search them.

http://www.ipillion.com/?ip=221.192.199.48



Back on topic
http://pokerroomreview.com/poker-news/6588-cereus-poker-software-security-update/

Poker related forums and chat rooms were ablaze yesterday on the news that another poker industry website had issued evidence of a flaw in the Cereus Poker software that could potentially affect both Ultimate Bet and Absolute Poker. In a controlled environment using dummy accounts, the site known as PTR illustrated how they cracked the wireless network they were playing on and, using custom “hacking” software, were able to access otherwise secure information on the dummy accounts. While a security issue such as this should always be cause for concern, it’s important to point out that no actual exploitation of this security flaw has been reported to have taken place, aside from the controlled experiment conducted by Poker Table Ratings. According to PTR, “there are no cases of this vulnerability being used to exploit actual players.”
The vast majority of players playing from home faced little to no risk. Hardwired home-based internet connections faced almost zero risk with the relatively small percentage of people who might be playing across an unsecured public wireless connection having the highest potential vulnerability. In order to be exploited, a player would have to be specifically targeted, would have to be known to be playing on the Cereus Poker platform and would have to be playing across an unsecured wireless network. According to one poster on PTR, exploitation of this potential flaw would require a virtual perfect storm of coincidence, stating, “It isn’t a major problem, it really only affects a very small minority of cases where people are being stupid and a pretty knowledgeable hacker just happens to be very close by.” The poster continues to call PTR’s reporting nothing more than the “scaremongering of non-technical users”.
Upon being notified of PTR’s experiment, Cereus spokesman Paul Leggett thanked the website for their efforts in illustrating the potential security flaw and issued a statement on his blog assuring players that the company is taking this matter very seriously. Insisting that the company is addressing the matter immediately, Leggett also reminded players “that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into [a player's] local network in order to gain access to sensitive data.” The company, Leggett stated, is already working on implementing new encryption methods and the expectation is that all possible security issues would be fixed within a matter of hours.
As of Friday morning, Cereus reports to have upgraded their software in order to resolve the potential issue and are discussing the possibility of engaging PTR for further audits of their systems in order to assure players of a secure gaming environment. It’s clear that the company is taking this matter seriously, despite the remote chance that data could have been compromised. According to a Cereus spokesperson, “we have no reason to believe anyone has exploited this vulnerability”. However, the representative continues, the company is “reviewing all serious complaints to see if any player was able to exploit this vulnerability and we will investigate any other serious requests we receive.”
The poker community is urged to provide the Cereus Network with any related input, suggestions or questions regarding their software and security via email to pokersecurity@ub.com.

 

[slycbnew]

if they want to continue to play at Ultimatebet it's their choice and it should be respected.

Well, this is clearly what's getting people annoyed, having someone tell them that they're "bad" for playing at Cereus. Forget about that part of the message imo - look at the content rather than the tone:

1. The management of Cereus is terrible - negligent at best. Anyone with the least amount of management experience should be able to recognize this.

2. The fact that the management of the site is terrible has potential ramifications for legislation.

3. The fact that the management of the site is terrible makes it potentially dangerous to play there, at least due to a lack of attention to security, let alone the older cheating scandal. If consumers start getting ripped off either by outsiders hacking in, or by employees of the company, see number 2 above.

4. If the management is not substantially penalized, there's little incentive for them to do anything about it. Note that there isn't anybody who can penalize them except for the players fwiw.

5. If the management is not substantially penalized, there's little incentive for OTHER sites to implement/maintain high standards.

I'm probably missing a point or two, but w/e.

I imagine it's obvious why players who care strongly about the stability and integrity of the online poker industry would advocate, in the strongest terms possible, not playing on these sites.

So, yeah, it's an individual choice - but some individual choices are not going to coincide with what's best (if you agree w above) for the overall player population/industry at large.

 

[kidkvno1]

Since it has not been posted..

http://blog.ultimatebet.com/

Tuesday, May 11, 2010 - COO


Hi Everyone,
We have received a lot of questions relating to the recent Security Issue and I wanted to answer the most frequently asked questions in a post. I’m sure there will be more questions and I will do my best to continue to respond to them.
Frequently Asked Questions:

How can you assure me that the site is secure currently?

After we learned of the vulnerability, we immediately began implementing an improved method for encrypting data as it transmits between player’s Clients and our Servers. We released the new and improved method in less than 24 hours after learning about the vulnerability.
We consulted a team of hackers in order to help us develop this solution, which includes complicated random keys in combination with MD5 encryption.
We have also employed this team of hackers to continually attempt to crack this solution, while we finish our implementation of the Open SSL standard for encrypting data between player’s Clients and our Servers. These hackers have been provided with the exact details of how we currently encrypt the data and we’ve asked them to use that information and attempt to crack the current encryption we are using. So far they have been unsuccessful at cracking the current encryption solution.
They have assured us that the methods we are currently using are secure and that it will take enormous amounts of resources and time to try to crack this method even with access to our code. They continue to work on cracking this code but we are confident that no one will be able to hack this solution. We will also plan to release a new version of our software on Friday, May 14th, 2010, that will be based on the Open SSL standard.
We think it is important to mention that we do have additional layers of security that we believe would detect a player if they exploited this vulnerability. Our Security Center analyzes player generated data in real-time and identifies accounts that are winning at an abnormal rate. These accounts’ hand histories are then reviewed by a dedicated team that checks for abnormal playing patterns, suspicious folds and irregular play.

Why didn’t you have SSL in the first place ?
SSL technology is currently being used for encrypting certain data, such as player login credentials and all cashier information. However, the client-server communication that occurs during game play was developed using a proprietary encryption method. We are frankly embarrassed that the SSL standard was not used in this data exchange. We are very disappointed with our software development company and internal QA testing, we fully acknowledge that the blame falls on us. We are also disconcerted that this problem didn’t get flagged by the many auditors who we have engaged over the past years. We simply have no excuses for this, and would like to apologize to our players and to the poker community. We are doing everything we can to address this issue, and have taken every measure to resolve it quickly and professionally.
Why didn’t the auditors catch this?
We have been through many audits with several different Gaming Commissions and a variety of Gaming Auditors. We cannot answer this question on their behalf but we believe they didn’t catch this vulnerability in their audits because Gaming Auditors and Gaming Commissions focus more on things like: Network Security, Abnormal Winning Statistics, Access Control Measures, Anti-Money Laundering, Counter Funding of Terrorism, ensuring all types of records and data are stored, etc.
All Gaming Commissions and Auditors that we interact with are very concerned about this issue and are very interested in improving their regulations and the scope of their audits to include Client-Server Encryption going forward.
Did you consider shutting down when you learned about this?
We did consider shutting down the CEREUS Network temporarily. However, we knew we could roll out a new solution in a matter of hours and we saw the threat of someone developing a hack to exploit this vulnerability, within that time frame, very unlikely. So we decided to focus all of our resources and efforts to develop a new solution and get it live as soon as possible.
We’re continuing to investigate the issue. Any and all player complaints are being thoroughly examined to ensure that there was in fact no exploitation of the encryption vulnerability.
We think it is important to mention that we do have additional layers of security that we believe would detect a player if they exploited this vulnerability. Our Security Center analyzes player generated data on real time and identifies accounts that are winning at an abnormal rate. These accounts’ hand histories are then reviewed by a dedicated team that checks for abnormal playing patterns, suspicious folds and irregular play.
Did the old UB software, prior to CEREUS, use SSL?
Yes, the old UB software used SSL for Client-Server Encryption.

How do I know my account was not hacked?
We are currently investigating to try and determine if this vulnerability was ever exploited in the past. We expect this investigation to take some time.
At this time we have no evidence or reason to believe anyone exploited this vulnerability but we have just begun our investigation. We are reviewing all serious complaints to see if any player was able to exploit this vulnerability and we will investigate any other serious requests we receive. We are also currently considering ways to expand our investigation.
If you have any reason to believe your account was hacked or if you have any reason to believe a player might have had an unfair advantage against you, we will be happy to investigate it.
We will continue to expand this investigation as we learn more.
Were there any affected players, if yes what was done about this?
So far we have no evidence or reason to believe anyone has exploited this vulnerability but we are still in the early stages of our investigation. We are reviewing all serious complaints to see if any player was able to exploit this vulnerability and we will investigate any other serious requests we receive. We are also currently considering ways to expand our investigation.

Has the investigation for affected players been completed?
No it has not. We are still investigating and we are still receiving requests from our players to investigate additional players. We expect this investigation to take some time.
Do you have hackers testing to see if the system is safe?
Yes we have employed a team of hackers to review our current solution and provide us with recommendations. They are currently still trying to hack our system. PokerTableRatings.com has also confirmed that the method they used to hack our system no longer works after our Security Update that we released within 24 hours of learning of the vulnerability. We will also be working with them to test our Open SSL solution after it is implemented. We plan on implementing the Open SSL standard on Friday, May 14th, 2010. We will also be working with other auditors to confirm we are providing the best local security possible.
We will continue to update our players and the poker community about our new advanced solution and third party testing as it progresses.

 

[nevadanick]

Agreed. I have about 6 wireless networks within range of my house, but mine and 1 other are the only 2 using security measures. The 4 others are free and open to all.

We have 5 others in our range... and only ours is security protected. We check periodically and it never changes... expect for the day we went from 4 to 5 unprotected networks in the neighborhhod...

 

[Tonawanda]

Withdrawal

I will be requesting a check from UB. If anyone wants, I could add on a transfer.

PM me.

 

[Paj1975]

i didn't say it was a good choice. i do agree with the things listed in your post sly about the reasons to not play there.

 

[arahel_jazz]

Since it has not been posted..

http://blog.ultimatebet.com/

What the take-away from this that everybody should understand is that Network Security and Applications Security is really, really hard to do well. It is very EASY to do it badly (as in the MD5 offset hash) for people who are not well trained in the arts. So they put a band-aid in place (stronger keys). Big deal. The fact that there was nobody either in the company or in the Auditors that had any clue on how to do SSL or TLS is riddiculous. Any bonehead can go to FoundStone, Nessus, or SecureScout and have their servers and applications put through a security scan - which would have caught this problem in about 30 seconds. I know - I'm on the receiving end of a scan every quarter and I'm under the gun to upgrade my OpenSSL and NTP libraries because of it.

The fact that they have "hackers" employed trying to break it is a bit funny. No self-respecting company would use the term "hacker" to describe a decent Security Consulting firm. There are many out there that are well qualified to evaluate the security of the system, but they are expensive. This tells me that Cereus is taking a half-assed approach to the problem and attempting to make itself look good in the process.

Thanks for posting it Kid.

 

[doops]

Great. Another thing to worry about. Don't have much at AP/UB these days anyway, but still...

 

[Juniorsdaddy]

Maybe you have to have an account there for 3 mths?

Actually, I have had the account for over a year. But, I have never deposited/withdrawn any money with the site. I am treated differently by UB because of this. They don't even let me converse within a freeroll once I am ousted since I have never deposited.

No big deal, as I have decided to go the min deposit route anyways.

 

[kardmania]

I realize that there is not a lot of love between this forum and cereus.

I am not a computer expert but I have had responsibility to purchase and administer systems. You just don’t know all your weak spots until one is exploited.

Is it possible that this was done on purpose to steal player dollars by the firm’s executives? Yes possible but when contrasted to the damage done to the value of the firm and the stock options held by executives rather unlikely.

I have spoken with various personnel at Absolute a few were solid most were questionable. I have had occasion to communicate with personnel at a dozen other sites and found the quality equally dubious. Quality needs improvement across the poker world.

A few weeks ago my computer was attacked while on the Google server. This has happened in the past. Fortunately, my security saved my backside. Google personnel are top drawer yet their security has been compromised several times. I guess I best remove that site and toolbar it is no longer clean.

This month I also had an opportunity to talk with several layers of security at Chase Bank. The bad news is that they would fit in better at customer support at Absolute Poker than the corner 1 branch bank. Most major banks worldwide have been attacked electronically and with counterfeit. Best get the shovels ready since we can’t trust the banks moving forward. Yes its time to bury your ducats in the back yard.

The Bad Truth is that Cyber InSecurity is an evolving rapidly changing animal and you best take some responsibility to cover your backside. India has stopped importing many electronics from China fearing electronic espionage in multiple forms.

Any institution or individual with assets is under attack and all have flaws or openings. I think we need to see how firms react to adversity before issuing final condemnation. That does not mean that I feel that these sites are clean; it means that their actions require greater and further scrutiny. I am willing to see what management is going to do now to make this system right for their players.

I see these same accusations of rigged games, cheating, and super hands to max pot sizes at every site I have ever played.

My guess is that every site of any scale has been compromised at some time. Some sites have been hit by smarter crooks and superior managements.

Online poker needs top quality support, management, and integrity I hope that the industry moves to deliver what their clients deserve.