5/15/10 – The Cereus online poker network owned by Tokwiro Enterprises and comprising the Absolute Poker and Ultimatebet operations, continues to wrestle with an encryption problem on its gaming software.
After an exploitable flaw was discovered by the poker information site Poker Table Ratings.com, management moved quickly last week to install a quick-fix, consulting with independent hackers to do so.
In the meantime, the flaw was being widely reported by online media, and both the Kahnawake Gaming Commission and player protection body ECOGRA had issued player advisories warning of the problem.
The quick-fix was to be followed by the replacement of the company’s bespoke XOR encryption system with hopefully more effective OpenSSL technology, and by the end of last week COO Paul Leggett reported that this had been accomplished.
Leggett’s relief that this had been achieved must have been short-lived, however, because soon after the OpenSSL technology had been installed, Poker Table Ratings advised that the new system was also hackable, reporting: “The update seems to use OpenSSL only for player actions such as hole cards, bets, etc. – we have already been able to hijack a test poker account using the exact same methods.”
PTR later advised that Cereus had responded, advising that it had its developers (believed to be Quad Dimensions) working on the report, and that the vulnerabilities were almost under control, and player gaming data was consequently safeguarded.
“Poker Table Ratings identified an issue with our Open SSL implementation that we are working on now. They have confirmed that all card data is now using Open SSL encryption,” Leggett blogged Friday. “However, we still need to convert one more piece of data to use the new Open SSL encryption. We expect to have it fixed before the end of the day.”
The continuing saga triggered widespread online poker message board discussion, and may even have impacted business, with Poker Scout’s independent stats indicating that Cereus traffic had declined from sixth largest to ninth largest over a week.
The stats were to some extent confirmed by anecdotal evidence from the message boards, where posters claimed that although there were 15 000 players on the poker network Friday evening, the usual number would have been some 5 000 more than that.
PokerTableRatings.com has recommended that players plug directly into their modems so as to avoid exposure over a wireless network. “If a wired network is not an option, the player should make absolutely sure their network is encrypted using WPA2 encryption.”