5/8/10 – The management at Cereus online poker network owners Tokwiro Enterprises must have groaned in dismay just before the weekend as news broke that a new software flaw had been uncovered at the network, comprised of the AbsolutePoker and UltimateBet websites.
The two online poker sites have historically been the setting for online poker’s biggest cheating scandals which cost Tokwiro millions of dollars in licensing jurisdiction fines and player compensation, and more on painstakingly rebuilding badly dented reputations.
The current issue was exposed by the information portal Poker Table Ratings and apparently has the potential to result in the possibility of a cheater ‘seizing’ control of a player’s account and seeing his or her hole cards.
PTR immediately went to press to warn players, at the same time passing on its information to Tokwiro. The portal additionally issued a “security alert” advising players not to play at AP/UB on grounds that Cereus was using XOR encryption rather than the poker industry standard SSL protocol for all network transmissions.
One notable difference in how the issue is being handled has become immediately apparent; gone is the past approach of denial, secrecy and procrastination. In its place, Paul Leggett as chief operating officer for Tokwiro immediately took the issue on board and started blogging.
This was what he had to say:
“One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network.
“For those of you not familiar with the issue, PTR was able to crack our local encryption method.
“I wanted to blog to make sure our players and the poker community know how seriously we take this issue.
“I would like to start by reminding everyone that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into your local network in order to gain access to sensitive [player gaming] data. We are currently working on implementing a new encryption method and we expect to have it live in a matter of hours.”
Leggett went on to comment that the revelations were embarrassing inasmuch as internal IT staff had not caught the flaw and neither had “the countless audits we’ve been through this year and last year.”
He assured readers that the company has spent a significant amount of money on all types of security since the AB and UB debacles, and has plans to invest in new security resources and third parties to test these to ensure that players are protected by the best security that money can buy.
Leggett publicly thanked Poker Table Ratings for exposing the encryption flaw.
“We will continue to update you on this issue but we will not rest until it is fixed and as I stated earlier, we plan to have this issue resolved within a matter of hours.”
A software update was issued a few hours later, and the firm promised the release of a more advanced solution using the Open SSL protocol, scheduled to be available in one week.
Leggett also immediately alerted the Cereus licensing jurisdiction – the Kahnawake Gaming Commission.
Leggett was immediately challenged by one poster who claimed: “It is completely untrue that someone would have to have local network access to take advantage of this, and that assertion is flat out wrong.
“Someone working for UB’s ISP could intercept ALL traffic coming into UB’s servers and use this exploit. The [gaming] data is vulnerable at EVERY hop between the user’s PC and the server.
“Your response is also unacceptable, by not immediately shutting down ALL games, you are allowing this vulnerability to persist on LIVE games while you fix it.”
Respected poker journo B.J. Nemath took a calmer view, noting that computer security takes many forms, and there are many different points of potential vulnerability.
“This exploit is completely different than the one allegedly used by Russ Hamilton [in the previous scandal] to see his opponent’s hole cards from anywhere in the world,” Nemath opined.
“Notice that in this exploit, you can only see hole cards for players on a locally-accessible network — in this test, the guy can only see his own hole cards. That’s because your opponents’ hole cards aren’t transmitted to your computer until the hand reaches showdown.
“But if you knew where your opponent lived, and had someone parked down the street “sniffing” his wireless network, that person could call you on his cellphone and tell you your opponents hole cards at the start of each and every hand.
“I’m not trying to lessen this issue – it’s a very big deal, and this security hole needs to be fixed ASAP.
“This seems to be a simple fix (with a short-term patch in less than 24 hours and a long-term fix coming in a week).”
It seems the AB/UB history will never be laid completely to rest; just last week the former editor of Poker News, Haley Hintze, published on her blog extensive findings and insider information on the historic scandals.
She continues to investigate the issues on suspicions of cover ups at the time, suggesting that Russ Hamilton may have been a scapegoat whilst others went free and unidentified.
Visit UltimateBet Poker or AbsolutePoker now.