Sign Up For Card Player's Newsletter And Free Bi-Monthly Online Magazine

UB and Absolute Poker on the Cereus Network Work to Fix Security Flaws

COO Calls Situation ‘Embarrassing,’ But Claims Issue is Now Fixed

Print-icon
 

Cereus Poker NetworkCereus Network, which is the home of the popular poker sites UB and Absolute Poker, was in the middle of a security controversy late last week when it was discovered that its two major poker sites used weak encryption methods. A poker tracking site announced on Thursday that it had hacked Cereus’ encryption method and showed how it was possible for someone to hijack a player’s account and see holecards in real time if that person was also able to hack the user’s Internet connection.

Paul Leggett, the chief operating officer of Tokwiro Enterprises (which owns both UB and Absolute Poker), issued a statement on Friday morning acknowledging the security breach and promising to do everything in his power to fix the problem.

Paul Leggett blogs about recent UB security flaw“PTR (Poker Table Ratings) was able to crack our local encryption method … I would also like to say that I am very embarrassed and upset that this issue was not caught by our internal staff or through the countless audits we’ve been through this year and last year,” said Leggett. “We’ve invested a great deal of money into all types of security and I am very shocked that this was not identified by us or the many third party auditors we’ve employed. Needless to say we plan to find new security resources and third parties to help us test this solution and make sure we provide you with the absolute best security that money can buy.”

For someone to have had actually seen another person’s holecards and utilized that information to cheat, that person would have had to hack both the site’s encryption, as well as the person’s individual Internet access. Both PTR and Cereus Network say that scenario is very unlikely.

Although this may undoubtedly remind the poker community of the superuser scandal that plagued both UB and Absolute Poker a few years ago, there are stark differences with the current situation and that scandal.

This situation appears to be a technological oversight as opposed to a thought-out inside job. While that may not lessen the anger that some poker players feel at the flaws that were in the system as of just a couple of days ago, few are claiming intentional corruption.

The controversy first came to light on Thursday, and Card Player contacted Cereus Network with questions to clarify the situation on Friday morning. Unfortunately, Cereus Network was unable to provide answers in a timely fashion, but has gotten back to Card Player with its responses. The relevant information is provided below:

Stephen A. Murphy: What exactly was the problem, and what is/did Cereus do to fix it?

Paul Leggett: There was an issue with the client encryption we were using for the Cereus game clients. The method we used for encryption/cyphering was outdated, and this was detected by Poker Table Ratings. As soon as they reported the issue to us, we immediately began working on solutions. We released a new version of our software early the next morning to address the security vulnerability.

We think it is important to note that in order for someone to have exploited this vulnerability, they would require the technical capabilities to crack the encryption/cypher method that was active prior to today, and they also would have had to hack into your local network in order to gain access to sensitive data. It is possible that a hacker could try to develop a system to intercept communication through the Internet, but this is even more complicated, and we believe it is even less likely than the first scenario described.

So far, we have no reason to believe anyone has exploited this vulnerability, but we have just begun investigating users that our players have requested of us. We are reviewing all serious complaints to see if any player was able to exploit this vulnerability, and we are committed to investigating any other serious requests we receive.

We fixed this issue by implementing a more advanced multi-layer encryption, and we have also implemented logic that will prevent any manipulation of this encryption.

We have also started working on a more advanced solution, which is the implementation of the OpenSSL standard for our client encryption. We expect to have this live in approximately one week.

We have been in communication with PTR, who we will be working with us to test the new encryption that we are using and the OpenSSL version that we are working on now. We are also discussing the possibility of PTR engaging the poker community and auditing our complete security in order to ensure we are doing everything possible to provide a secure gaming environment.

SM: Was there any thought to temporarily shutting UB and Absolute Poker down to address these problems?

PL: Yes, we did consider shutting down Cereus temporarily. However, we knew we could roll out a new solution in a matter of hours, and we saw the threat of someone developing a hack to exploit this vulnerability very unlikely within that time frame. We then focused all of our efforts on getting the new solution live as soon as possible.

SM: What (if anything) do Card Player readers need to do to keep their accounts secure?

PL: The new client encryption that we are using addresses this vulnerability, and there is nothing further that your readers need to do to secure their accounts. If your readers have any questions or concerns, we ask them to e-mail us at [email protected] or [email protected].