Monday April 15,2013 : ONLINE POKER SOFTWARE FIRM FIXING SECURITY ISSUE (Update)
B3W reacts fast to ReVuln revelations
The Malta-based poker software developer B3W has reacted quickly to claims by online security company ReVuln that its software has some vulnerability.
Over the weekend a company spokesman told the IDG news service that work has already commenced on the root problem pointed out in a report released last week by Luigi Auriemma and Donato Ferrante of ReVuln, a vulnerability research consultancy also based in Malta.
ReVuln's report, which also looked at products from major companies like Microgaming and Playtech, focused on poker software and the downloaded client.
AJ Thompson, B3W's director of strategy, assured IDG that players using its software have not been hacked in 12 years of operating online.
The researchers found that B3W's software updates itself over an insecure HTTP connection. Updated files are stored without digital signatures, and ".exe" files are not verified before installation. They also found issues with how B3W's software stores passwords on a person's computer.
"The industry standard for distributing new poker clients is through content delivery networks," Thompson told the news service. "B3W uses a CDN from Fileburst.
"Using a secure connection with Fileburst is possible, but the digitally-signed security certificate would not match that of the software that is delivered," he said.
However, B3W has found a solution in order to deliver secure updates.
"We have decided to move all client updating to our own data centers over SSL using a signed certificate trusted by the poker client code," Thompson revealed.
"The changes will eliminate three issues outlined by ReVuln, including those around executing an unverified file, a directory transversal issue and a stack-based buffer overflow.
"B3W hasn't decided how to handle passwords that are saved by the poker client. Passwords that are not stored by a password key chain can only be obfuscated, and to create a password for a password would be less convenient for players," Thompson said.
"We do have a build of a client which does not allow the saving of the password, and we are considering the introduction of this to the core client build."
Late last year B3W signed an agreement with NYX Interactive AB to launch NYX OGS games within its casino gaming suite.