home | about us | contact | site map | credits | disclaimer | bookmark

Absolute Poker and Ultimate Bet: more cheating or a security flaw? Security so weak that hole cards were easily read.


Friday, May 14, 2010

Absolute Poker and Ultimate Bet: more cheating or a security flaw? Security so weak that hole cards were easily read.


A few days ago, Poker Table Ratings published an article advising that Cereus Poker Network uses weak encryption:



Cereus Poker Network uses weak encryption, poor security practices


Release Date: 2010-05-06

Last Update: 2010-05-06

Severity: Critical

Impact: Exposure of sensitive information

Where: Network access required

Solution Status: None

Poker Sites: Absolute Poker, Ultimate Bet


Description:

The Cereus poker network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL. The encryption key can be easily identified from a network dump and used to decrypt all information transmitted between the client application and the Cereus servers.

In our lab we are able to intercept and decode the user's login name, and receive an MD5 hash of their password, as well as their seat number and hole cards. Once the MD5 password hash has been intercepted, we've been able to log in using the intercepted login name by overwriting the outgoing login packet with the intercepted MD5 hash – thus logging in the victim's poker account without their knowledge, remotely.



In other words: the Cereus Poker data encryption system is below industry standard, and can be hacked into, with shared networks being the most vulnerable.

In the Cyreus Poker companion article, PTR goes into more details about the relative simplicity of gaining access:



Testing

In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real time from a test victim, using the same mechanisms.

All of our tests were done in a lab environment, using cheap commercial grade hardware. There is some custom software involved in actually logging in a hijacked account, and decrypting the hole cards. The source for all of the testing totals less than 500 lines.

The wireless network cracking and snooping was done using freely available open source software.



You can also watch their Absolute Poker Network Encryption Vulnerability video on Youtube.


It's astonishing that Cereus Network opted for this easily hacked OXR system in the first place, particularly in light of these comments from PTR:



Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data.

There are several freely available implementations of this protocol including the open source OpenSSL.

SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.



Why in the world would Cereus use a hackable encryption system, when a secure system - and the industry standard to boot - is freely available, and wouldn't cost a penny?



PTR reported on the Cereus Poker security response later the same day:



I'm expecting to have a solution in place in a matter of hours and I would really like to discuss engaging your company to help us test the solution, if your company provides such services.



It's also surprising that a solution could be put in place "in a matter of hours" - did Cereus have a backup secure system to implement in the event of detection? A poster in the 2+2 Poker Another hole in UB and AP security thread had this to say:



05-06-2010, 09:31 PM

Let me make this clear. This level of **** up can't be fixed in a matter of hours. Properly fixing this in a secure tested way would take weeks.

Anything put together within the next few days will be some botched unsecured, untrustworthy hack.



The Kahnawake Gaming Commission issued a Cereus Poker advisory notice the next day, the poker rooms in question being two of their permit holders:



Based on information available at this time, it appears unlikely that player gaming data was actually compromised. However, this possibility will be reviewed further and, if necessary, the Commission will direct that the appropriate remedial actions be taken.

Until a solution to the security issue is fully implemented, the Commission recommends that players use caution when accessing the Absolute Poker or Ultimate Bet sites, in particular when using a public network (wired or wireless) or a private wireless network.



As noted in the KGC comments, Cereus Poker Network powers Absolute Poker and Ultimate Bet. These two poker rooms have a notorious and well-documented history of cheating after the exposure of the "superuser" scandal, in which employees of the two poker rooms gained an insurmountable advantage over players by reading their hole cards.


The AP situtaion is summarised in the Absolute Poker thread at 2+2 Poker, and the almost identical Ultimate Bet affair can be read about in the UltimateBet let players get cheated for millions discussion at the same forum.


Although this latest incident is a different kettle of fish to the superuser scandals of a couple of years ago, there are remarkable essential similarities: players at Absolute Poker and Ultimate Bet appear destined, come what may, to have their hole cards read.


To end on a marginally entertaining note: Cereus Poker Network is, not unsurprisingly, eCOGRA approved:



The independent standards authority of the online gaming industry, eCOGRA, has announced that the CEREUS online poker network has achieved the required standards for its Certified Software accreditation seal. eCOGRA is specifically known for their focus on fair gaming and player protection.



It's remarkable that eCOGRA failed to notice, while investigting Cereus for these "required standards of accredition", that they used a weak, vulnerable and non-standard encryption method that could result in compromise to player security potentially costing many millions of dollars, as was the case with Absolute Poker and Ultimate Bet.



0 Previous Comments


Post a Comment


May 2005 | June 2005 | July 2005 | September 2005 | October 2005 | November 2005 | December 2005 | January 2006 | February 2006 | March 2006 | April 2006 | May 2006 | August 2006 | October 2006 | January 2007 | February 2007 | March 2007 | May 2007 | June 2007 | July 2007 | January 2008 | February 2008 | March 2008 | April 2008 | June 2008 | July 2008 | September 2008 | October 2008 | December 2008 | January 2009 | February 2009 | March 2009 | May 2009 | June 2009 | July 2009 | August 2009 | September 2009 | October 2009 | November 2009 | December 2009 | January 2010 | February 2010 | March 2010 | April 2010 | May 2010 | June 2010 | July 2010 | August 2010 | October 2010 | November 2010 | December 2010 | January 2011 | February 2011 | March 2011 | April 2011 | May 2011 | June 2011 | July 2011 | August 2011 | September 2011 | December 2011 | February 2012 | May 2012 | July 2012 | August 2012 | March 2016 | April 2016 | June 2016 | November 2016 | December 2016 | March 2017 | May 2017 | June 2017 | August 2017 | Atom feed
© 2005 hundred percent gambling

ONLINE CASINO NEWS

• Online casino news


2016

• Can't split 10s?
• Overbetting
• EV charts
• The IPCA
• Basic strategy master
• Back to the future
• Site hack

2015

• Better comp value
• Pit bosses are a pest
• 32Red buys Roxy Palace
• Winneronline is gone
• Paradise Win Casino
• Blackjack simple strategy

2014

• Court refuses Ivey winnings
• Phil Ivey versus Crockfords
• 32Red does the right thing
• Wizard Of Odds sold
• Gambling addict sues Ritz
• Better blackjack conditions
• FL: the beat goes on
• Phil Ivey and the Borgata
• LadbrokesFOBT profit
• Chat with the Met
• "Bonus abuse" and the Met
• Casino industry crooks.
• Debate to curb the FOBTs
• Labour idea to ban FOBTs

2013

• Ruby Fortune: terms buried
• Royal Vegas: bad outcome
• Russia illegalises gambling
• RV: player breaks no rules
• Gib casinos and UK laws
• The GGC (GRA) useless
• BetFred rigged games 9
• BetFred rigged games 8
• Betfred rigged games 7
• BetFred rigged games 6
• BetFred rigged games 5
• BetFred rigged games 4
• Phil Ivey: is he entitled?
• BetFred rigged games 3
• Betfred rigged games 2
• BetFred: rigged games 1
•  UK GLA Act 2013
• 888.com and Facebook
• Crockfords denies Phil Ivey
• Bad dealers
• Betfair Blackjack test
• Playtech software update
• Cheap blackjack
• Hippodrome Casino

2012

• The UK's FOBT addiction
• Conan Casino beware
• Intercasino misleading
• Fortune Lounge
• UK Gambling Commission

2011

• Small Claims Court
• Gamcare
• Full Tilt Poker saved
• Full Tilt ponzi scheme
• Casino Barcelona
• Irakli Kacharava
• Betfair processor no pay
• Full Tilt licensing meeting
• UK Gambling Commission
• Full Tilt Poker investors
• Full Tilt license suspended
• Twitter
• Betfair resolution
• Casino Web Scripts 2
• 32Red bonus marketing
• Casino Web Scripts 1
• Poker domains seized
• eCOGRA independent?
• Easystreet Sports theft
• Betfair to Gibraltar
• Rigged blackjack 2
• Betfair responses
• Rigged blackjack
• 888.com theft
• Betfair poker problem
• UK gambling controls
• Harry Reid

2010

• eWallet Xpress
• Kevin Stillmock
• Blog back up
• Betfair happy hour
• Ladbrokes bonus increase
• Absolute Poker tricks US
• Absolute Poker rigged
• Last position no difference
• Basic strategy simplified
• Online casino bonuses
• Righthaven LLC
• Ladbrokes bonus rules
• Malta LGA nonsense
• Purple Lounge theft
• UK affiliates issue
• Online casino problems
• GPWA code of conduct
• One Club Casino problems
• Rushmore theft resolved
• Realtime Gaming cheats
• Absolute Poker Ultimate Bet
• Rushmore Casino theft
• Ask gamblers service
• Intercasino bonus terms
• Profitting from poverty
• Gambling dooms UK to ruin
• Want To Stop Gambling
• Gambling Therapy
• Gordon Moody Association
• Breakeven
• Online gambling jobs
• Gamblock
• Gamble Aware
• Gamblers Anonymous
• Gamcare
• Video poker auto hold
• Gambling Wages help offer
• Blackjack double down
• Intercasino rules
• Tradition Casino warning
• Tradition Casino problem
• Be The Dealer
• eCOGRA approved casinos
• UK underage gambling
• iGaming Super Show
• eCOGRA reputable portals
• eCOGRA exposed
• Slots Oasis warning
• Slots Oasis problem
• HR 2267 comments
• HR 2267 proposed bill
• Search fully functional
• Gambling hearing delayed
• Betfair download blackjack
• Betfair blackjack
• The Federal Wie Act
• Casino Rewards warning
• Kahnawake dumps GP
• GP dumps Microgaming
• UK online gambling
• Gambling checklist
• Online casino problems
• Gambling Grumbles
• Casino Rewards
• Brian Cullingworth
• Casino Wager Tracker
• Grand Prive affiliates
• Jackpots Heaven Casino
• Kahnawake commission
• UK gambling problem
• eCOGRA and Grand Prive
• Bet365 misleading bonus
• Mastercard and Visa
• Online gambling rules
• 32Red sign up bonus
• Ladbrokes data theft
• Ladbrokes unfair settlement
• Palace group bonus rules
• Grand Prive and eCOGRA

2009

• Blackjack in the UK
• Seminole Hard Rock
• The APCW and MG
• Sportsbook.com
• Slot beaters slot strategy
• Rushmore Casino theft
• Paddy Power affiliates
• Slots
• 888.com problem
• The UIGEA
• Neteller contest winner
• 888.com bonus problem
• Casino Club meeting
• Online casino directory
• 32Red debit card bonus
• Blue Square Casino
• Budapest Affiliate Expo
• Rushmore payment issues
• Modern Blackjack volume 1
• Eurolinx certain insolvency
• Buzzluck winnings theft
• PaddyPower removed
• 32Red lawsuit
• William Hill Casino Club
• Betfair video poker
• APCW underage children
• Odds page updates
• VP Genius
• Video poker page updates
• Blackjack page updates
• Progression page updates
• Single deck page updates
• Betfair Playtech license
• Cherry Red Casino
• Online gambling debate
• William Hill & Teddy Sagi
• Rogue casinos section
• Pontoon correction
• Microgaming poker scandal
• Casino Club confiscation
• Casino Club steals €8000
• Villa Fortuna Casino
• Grand Prive affiliate issue
• CAP and Cardspike 2
• Virgin Casino bad results
• CAP and Cardspike 1

2008

• iNetbet removal from site
• Mario Galea and Malta LGA
• Cold Mountain Resort
• The AGCC
• Moneybookers privacy
• Virtual Casino rebranding
• Captain Jack Casino
• Royal Ace Casino
• Ringmaster Casino
• Catseye Casino
• Lucky Palm Casino
• Pharaohs Gold Casino
• Goldstream Casino
• Plantet 7 Casino
• Betfair bonus confiscation
• Malta LGA worthless
• The GIA
• Interwetten theft of £5000
• Lucky Ace winnings stolen
• The KGC and Absolute

2007

• HippoJo Casino
• Microgaming All Aces VP
• Neteller issues
• Lou Fabiano responds
• Lou Fabiano selling stats
• Betfair Zero Lounge
• ICE 2007 brief visit
• RTG cancels ICE visit

2006

• Crystal Palace Casino theft
• eCOGRA & Jackpot Factory
• English Harbour cheating
• Boss Media single deck
• Bella Vegas / Grand Prive
• The KGC worthless
• Gambling Federation
• Playtech sued
• Meeting Andrew Beveridge
• Playtech confirmed listing
• African Palace Casino
• G-Fed ICE discussion
• Playtech ICE meeting
• Playtech issues escalation
• Chartwell hands off

2005

• Crystal Gaming silence
• Price Waterhouse Cooper
• Crystal Gaming flotation 2
• Vegas Frontier
• Crystal Gaming flotation 1
• Playtech public listing
• African Palace & Indio
• Kiwi Casino
• Rochester Casino
• G-Fed theft 2
• Warren Cloud best avoided
• Golden Palace stupidity 3
• Golden Palace stupidity 2
• G-Fed theft 1
• Golden Palace stupidity 1
• Russia online expansion
• Wan Doy Pairs Poker
• Microgaming CPU usage
• Net Entertainment RNG
• Cryptologic & William Hill
• Casino growth slow
• English Harbour paying
• Fraudster or not
• Blackjack surrender
• Integrity casino group audit