A recent article that appeared on PokerTableRatings.com addressed potential encryption issues on the CEREUS Network sites UB.com and Absolute Poker. According to PokerTableRatings.com, hackers could have been able to access players’ hole cards.
PokerTableRatings.com opened its piece by explaining, “We have no way of knowing if this exploit has been discovered and used to steal from CEREUS users, but it seems unlikely. It is our hope that this information will allow CEREUS users to protect themselves.” CEREUS’ software employed a custom form of encryption that was XOR-based, whereas major corporations and even government entities use SSL.
According to PokerTableRatings.com, all that’s required to break CEREUS’ encoding is a standard Windows calculator: “To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button.” The XOR button is on the far right side of the Windows calculator. A hacker could potentially log into your wireless network if you’re playing online and decode what hole cards you’re being dealt.
PokerTableRatings.com cautioned that unsecured wireless networks presented a “severe” risk level, while a public secured wireless held a “moderate-high” risk level. Public wired and unsecured home wireless systems were “moderate” in risk, while home secured wired and wireless networks were considerably safer: “In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real-time from a test victim using the same mechanisms.”
PokerTableRatings.com implored players on the CEREUS Network to stop playing until the encryption issue was fixed. If users continued to fire up CEREUS Network sites UB.com and Absolute Poker, they were advised to hardwire their computer directly into the modem to avoid using any wireless network: “We also recommend against a player revealing that they play on the CEREUS Network until these issues are resolved, so as to avoid making themselves a target.”
PokerTableRatings.com published its explanation of the security flaw on May 6th. On the same day, Tokwiro COO Paul Leggett acknowledged the issue and pledged to right the ship. On May 7th, Leggett stated that he was unaware of any players being affected by the flaw, “but we have just begun investigating users that our players have requested. We are reviewing all serious complaints to see if any player was able to exploit this vulnerability.” In response, CEREUS developers introduced a “more advanced multi-layer encryption.”
Leggett also revealed that CEREUS was in the process of rolling out OpenSSL encryption, which should be live within a week. Representatives of PokerTableRatings.com will be helping test CEREUS’ new encryption methods when the time comes. Leggett added, “We are also discussing the possibility of PTR engaging the poker community and auditing our complete security in order to ensure we are doing everything possible to provide a secure gaming environment.”
For the online poker community, the latest hiccup brought back memories of the Russ Hamilton-led scandal that rocked the site from 2004 to 2008. The Kahnawake Gaming Commission (KGC) also released a statement on the CEREUS Network encryption problems that read in part, “Until a solution to the security issue is fully implemented, the Commission recommends that players use caution when accessing the Absolute Poker or Ultimate Bet sites, in particular when using a public network (wired or wireless) or a private wireless network.”
The KGC serves as the regulatory body for many of the online poker industry’s marquee sites, including Absolute Poker, Bodog, Carbon Poker, Everest Poker, Intertops, Paddy Power, Poker Nordica, PokerTime, RPM Poker, UB.com, and Winner.com.