A few days ago, Poker Table Ratings published an article advising that
Cereus Poker Network uses weak encryption:
Cereus Poker Network uses weak encryption, poor security practices
Release Date: 2010-05-06
Last Update: 2010-05-06
Severity: Critical
Impact: Exposure of sensitive information
Where: Network access required
Solution Status: None
Poker Sites: Absolute Poker, Ultimate Bet
Description:
The Cereus poker network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL. The encryption key can be easily identified from a network dump and used to decrypt all information transmitted between the client application and the Cereus servers.
In our lab we are able to intercept and decode the user's login name, and receive an MD5 hash of their password, as well as their seat number and hole cards. Once the MD5 password hash has been intercepted, we've been able to log in using the intercepted login name by overwriting the outgoing login packet with the intercepted MD5 hash – thus logging in the victim's poker account without their knowledge, remotely.
In other words: the Cereus Poker data encryption system is below industry standard, and can be hacked into, with shared networks being the most vulnerable.
In the
Cyreus Poker companion article, PTR goes into more details about the relative simplicity of gaining access:
Testing
In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real time from a test victim, using the same mechanisms.
All of our tests were done in a lab environment, using cheap commercial grade hardware. There is some custom software involved in actually logging in a hijacked account, and decrypting the hole cards. The source for all of the testing totals less than 500 lines.
The wireless network cracking and snooping was done using freely available open source software.
You can also watch their
Absolute Poker Network Encryption Vulnerability video on Youtube.
It's astonishing that Cereus Network opted for this easily hacked OXR system in the first place, particularly in light of these comments from PTR:
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data.
There are several freely available implementations of this protocol including the open source OpenSSL.
SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.
Why in the world would Cereus use a hackable encryption system, when a secure system - and the industry standard to boot - is freely available, and wouldn't cost a penny?
PTR reported on the
Cereus Poker security response later the same day:
I'm expecting to have a solution in place in a matter of hours and I would really like to discuss engaging your company to help us test the solution, if your company provides such services.
It's also surprising that a solution could be put in place "in a matter of hours" - did Cereus have a backup secure system to implement in the event of detection? A poster in the 2+2 Poker
Another hole in UB and AP security thread had this to say:
05-06-2010, 09:31 PMLet me make this clear. This level of **** up can't be fixed in a matter of hours. Properly fixing this in a secure tested way would take weeks.
Anything put together within the next few days will be some botched unsecured, untrustworthy hack.
The Kahnawake Gaming Commission issued a
Cereus Poker advisory notice the next day, the poker rooms in question being two of their
permit holders:
Based on information available at this time, it appears unlikely that player gaming data was actually compromised. However, this possibility will be reviewed further and, if necessary, the Commission will direct that the appropriate remedial actions be taken.
Until a solution to the security issue is fully implemented, the Commission recommends that players use caution when accessing the Absolute Poker or Ultimate Bet sites, in particular when using a public network (wired or wireless) or a private wireless network.
As noted in the KGC comments, Cereus Poker Network powers
Absolute Poker and
Ultimate Bet. These two poker rooms have a notorious and well-documented history of cheating after the exposure of the "superuser" scandal, in which employees of the two poker rooms gained an insurmountable advantage over players by reading their hole cards.
The AP situtaion is summarised in the
Absolute Poker thread at 2+2 Poker, and the almost identical Ultimate Bet affair can be read about in the
UltimateBet let players get cheated for millions discussion at the same forum.
Although this latest incident is a different kettle of fish to the superuser scandals of a couple of years ago, there are remarkable essential similarities: players at Absolute Poker and Ultimate Bet appear destined, come what may, to have their hole cards read.
To end on a marginally entertaining note: Cereus Poker Network is, not unsurprisingly,
eCOGRA approved:
The independent standards authority of the online gaming industry, eCOGRA, has announced that the CEREUS online poker network has achieved the required standards for its Certified Software accreditation seal. eCOGRA is specifically known for their focus on fair gaming and player protection.
It's remarkable that eCOGRA failed to notice, while investigting Cereus for these "required standards of accredition", that they used a weak, vulnerable and non-standard encryption method that could result in compromise to player security potentially costing many millions of dollars, as was the case with Absolute Poker and Ultimate Bet.
0 Previous Comments
Post a Comment