More security issues with AP/UB

Cereus not so serious about their security?

by , May 7, 2010 | 3:10 pm

The scandal-plagued Cereus Network, home of Absolute Poker and Ultimate Bet, took another hit on Thursday regarding their encryption procedures. Poker Table Ratings issued a “security alert” advising players not to play at AP/UB as they revealed a major security flaw as Cereus was using XOR encryption rather than the poker industry standard SSL protocol for all network transmissions.

An example of what PTR found is in the video below:

Cereus COO Paul Leggett issued a response shortly after the PTR report came out Thursday evening and posted a status update just a few minutes ago stating that they’ve issued an update to their software earlier Friday and are working with PTR on the new encryption and the eventual release of a more advanced solution using the Open SSL protocol, scheduled to be available in one week.


12 Comments to “More security issues with AP/UB ”


  1. DanM
    says:

    so interesting. didn’t annie duke tell us that she was convinced Cereus had the BEST security out there now? She convinced me briefly, but now I’m also following Haley Hintze’s digging, and it seems likely to be a provable cover-up was in play. Starting to think (more) that Russ Hamilton wasn’t the only bad guy to step foot in UB/APs offices.


  2. Kevin Mathers
    says:

    Well Cereus does state they have the “strongest” poker community…


  3. Gav
    says:

    oh wow, shit is gonna hit the fan now


  4. BJ Nemeth
    says:

    Computer security takes many forms, and there are many different points of potential vulnerability. This exploit is completely different than the one allegedly used by Russ Hamilton to see his opponent’s hole cards from anywhere in the world.

    Notice that in this exploit, you can only see hole cards for players on a locally-accessible network — in this test, the guy can only see his own hole cards. That’s because your opponents’ hole cards aren’t transmitted to your computer until the hand reaches showdown. But if you knew where your opponent lived, and had someone parked down the street “sniffing” his wireless network, that person could call you on his cellphone and tell you your opponents hole cards at the start of each and every hand.

    I’m not trying to lessen this issue — it’s a very big deal, and this security hole needs to be fixed ASAP. But Annie Duke’s previous comments were probably made in good faith, as she was referring to different areas of security that she was more familiar with. (We all know that Annie Duke isn’t a computer security expert.)

    I believe it’s standard practice to contact the company directly (in this case, AP & UB) when you discover a security hole, and give them a reasonable period of time to patch it before going public. This seems to be a simple fix (with a short-term patch in less than 24 hours and a long-term fix coming in a week), so Poker Table Ratings could have told AP/UB they would publish their article next week whether a fix was in place or not.

    I’m not trying to call out Poker Table Ratings — they did a great service for the poker community by discovering this security hole and making sure it got fixed. They deserve a lot of credit and appreciation, especially since (as far as I know) they aren’t a dedicated computer security firm.


  5. DanM
    says:

    BJ, I’m definitely not trying to pin anything on Annie. Of course she would have nothing to do with this other than being called into ambassadorial action. But instead of their aggressively pushing out new and good things about AP/UB … the Cereus PR team has to do damage control … again.

    If I were a high-stakes AP/UB player, in a world where Google Maps and Facebook make just about everyone easily findable, I’d be very bothered that a company claiming to be TOPS in security would have (yet another!) flaw allowing a cheater to target me with relative ease. Maybe I’m just sensitive to this living in Las Vegas, where crooks and scam-artists abound — Russ Hamilton, after all, the guy Cereus claims is Lee Harvey Poker, still lives here freely. If they really believe everything they’re saying though, then you’d think they’d use all that security power they’ve installed since the upgrade from Ultimate Bet to UB to at least make sure this one accused crook couldn’t strike their players again.

    Not sure what’s worse … if the upper management at Cereus did already know about this security flaw or did not.


  6. Kevin Mathers
    says:

    Is it strange that AP/UB/Cereus rarely discovers these errors themselves?

    (Superusers, Hellmuth winning with a losing hand, PTR discovering their poor encryption, etc, etc.)


  7. DanM
    says:

    AP/UB/Cereus … The Catholic Church of Poker.


  8. KenP
    says:

    If you are one of those vulnerable to such an exploit, you should send a thank you to the idiots at UB for pointing out what an idiot you are.

    All data streams that include a human interface must be decrypted. If the security is broken by neglect of one’s wifi setup, then blame is at least shared.

    Any router that was setup properly, prevents the exploit. Banks just had a security meeting in Florida and their conclusion is to assume that all client’s have compromised systems. This doesn’t address a solution but it does show how wide spread is our Luddite nature.


  9. Kevin Mathers
    says:

    The Kahnawake Gaming Commission has issued their statement on the matter:

    http://www.gamingcommission.ca/news/pr05072010a.pdf


  10. Mookman5
    says:

    I wonder how long this has been going on? Seems like it could be years. How was this missed during the countless audits (lol)? I mean how did the KGC, Gaming Associates, Ecorga, etc. not find this flaw?


  11. Brian G.
    says:

    Relax. Internet poker is completely on the level. The only people that complain are the people that lose anyway, and we all know they have an axe to grind. Go ahead and log on right now and forget this nonsense.


  12. DanM
    says:

    Brian, I assume you’re being sarcastic? For all of us who’d like to believe it’s on the level, one problem after the next doesn’t instill confidence — particularly when everything is handled internally … and no one ever gets publicly fired.

    I wonder if UB/AP thinks there’s any CHANCE they’d ever get a US license should that opportunity become available to American friendly sites.