Source: tightpoker.com
It is starting to look like the Cereus Network should think about hiring a new security team. First it was the cheating scandals at both Absolute Poker and UB.com that were discovered in 2007 and 2008 (though the latter dated back to 2005). Now, it has been discovered that serious flaws have existed in the network’s encryption.
The security holes were found not by some huge network security firm, but by PokerTableRatings.com (PTR), a website that tracks online poker player results and statistics. On Thursday, May 6th, Dameon from PTR posted a lengthy article, along with a video, on the website explaining how the Cereus Network’s encryption method leaves players vulnerable to having their data transmissions intercepted. Therefore, someone with the right computing tools could see the hole cards of their opponents.
The culprit is the “XOR” based encryption method that Cereus uses. According to Dameon and PTR, this is a very weak method of encryption, and Cereus should be using the industry standard SSL method. With proper encryption, communications between the player’s computer and the game server (such as login details or hole card information) are masked so that anyone trying to hijack the transmissions would not be able to decipher the data. PTR does not equate the XOR method to legitimate encryption, however. In the article, Dameon stated:
“In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
The requirement for this vulnerability to be exploited is network access. This means that if you are playing on an open wireless network, a cracked wireless network (something which is increasingly simple to do), or on a physical network which has been compromised – an attacker could dump the network traffic and exploit this vulnerability maliciously.”
The PTR article goes on to say that unsecured public wireless networks, essentially a wireless network that anyone within range can access without a password, are by far the most vulnerable to “sniffers,” or those people who hook into the network to observe network traffic. The safest would be wired networks (those that run only via cables, not through the air) in private homes where nobody other than the network’s owner would have physical access. Basically, public and wireless are more vulnerable than private and wired. Properly secured home wireless networks should be relatively safe, though.
PTR tested the vulnerability by creating a “cracked” wireless network in a lab setting using “cheap commercial grade hardware,” and a small program its staff wrote to decode hole cards. While this sort of program would not be readily available to the general public, anyone with decent programming skills would be able to recreate it. The software used to crack the network and hijack the hole card information is available on the internet. Using the video to demonstrate, PTR used a laptop equipped with the hacking programs to read the hole cards on a test Absolute Poker account that was running on another computer. Within a second or two, the hacker computer was able to display the exact cards of the test account. The most interest part was that the hacker computer was not even connected to a network – it was able to steal the data right out of the air from the unsecured wireless connection.
At the end of the article, PTR recommended that Cereus upgrade its security to the SSL standard and that nobody play on the network until that is done.
That same day, Cereus COO Paul Leggett responded, thanking PTR for bringing this issue to his company’s attention. He expressed his embarrassment and vowed to have the security hole fixed within hours. It does appear that this was done, although SSL was still not implemented. On Friday, May 7th, Leggett announced that SSL should be implemented within a week. In the meantime, he asked PTR if they would assist Cereus in testing and evaluating the new security methods, which PTR has agreed to do. PTR still recommends that people avoid playing at Cereus until SSL is in place.
Leggett has said that despite the network security issue, there have been no known instances of it being exploited. His security team is continuing to investigate any users that customers have asked about to see if anyone has been victimized.