Cereus Still Hasn't Properly Fixed Its Security IssuePublished on May 15th, 2010 7:24 am EST
The strange dance between PokerTableRatings.com and the Cereus poker network continues.
On May 6th, 2010, PokerTableRatings.com published an article titled "PTR Security Advisory: Cereus Poker Network uses weak encryption".
In the article, PTR revealed that the Cereus poker network used a weak method of encryption for all of their network transmissions, "instead of the industry standard SSL".
PTR went on to reveal that:
"In our lab we are able to intercept and decode the user’s login name (e-mail address), and receive an MD5 hash of their password, as well as their seat number and hole cards. Once the MD5 password hash has been intercepted, we’ve been able to log in using the intercepted login name by overwriting the outgoing login packet with the intercepted MD5 hash – thus logging in the victim’s poker account without their knowledge, remotely.
We’ve also been able to remotely display all seat numbers and hole cards on a compromised network."
PTR listed the situation as "critical" (no kidding), leading Cereus to inform PTR that they were "working towards a solution".
If you want a complete breakdown of the security issue, I suggest that you hit this page on Pokertableratings.com, as they explain the problem far better than I ever could.
The same day, executive Paul Leggett revealed in a blog posting on blog.ultimatebet.com that PTR was "able to crack our local encryption method" and that he was "very embarrassed and upset that this issue was not caught by our internal staff or through the countless audits we've been through this year and last year." Leggett said that the "issue" would be resolved "within a matter of hours."
Now, for some reason, Leggett and the rest of the higher-ups at the Cereus poker network decided that it wasn't necessary to halt all play on the network while the problem was being addressed. It seems to me allowing play to continue on the network BEFORE the fix has been implemented and AFTER the vulnerability has been made public is incredibly stupid, but whatever.
The next day (May 7th, 2010), PTR revealed that they were asked by Cereus to "participate in auditing and testing the new forms of encryption", and that PTR agreed to this request.
In addition, Cereus released a new version of their software on May 7th that was to "address the issue".
Fast forward to May 14th, 2010.
PTR released an article titled "Cereus Patch adds SSL, Update: NOT SECURE!".
In this article, PTR revealed that Cereus has "updated to include SSL support", but that "the update seems to use OpenSSL ONLY for player actions such as hole cards, bets, etc - we have already been able to hijack a test poker account using the exact same methods." PTR provided multiple updates to the article - in the most recent update, PTR revealed that Cereus had contacted the site and revealed that "our developers are working on resolving this issue and will follow up with a second update later today that will fix this."
Paul Leggett acknowledged this latest blunder in another blog posting, and revealed that "we expect to have it fixed before the end of the day."
That's the last I've heard from either side (PTR or UB).
As some other sites have pointed out, Cereus has seen its traffic dip since news of this vulnerability first surfaced. Pokerscout.com has a six month graph of the traffic trend at Cereus that you can see here.
Given the fact that Absolute Poker and Ultimatebet were both rocked by "superuser" scandals, you would think that the Cereus poker network would have top-notch security in place, but this is clearly not the case.
In my opinion, Cereus needs to take the hit and shut down their network until this situation is fully resolved, but it doesn't look like that will happen.
Filed Under: Online Poker Rooms