Another Ultimatebet Scandal

**thepokerkeep** · 8 May 2010, 9:12 am

It appears that the Cereus Poker network has some serious security flaws. According to Poker Table Ratings, Ultimate Bet uses a flawed encryption system which is vulnerable to malicious hacks. According to PTR:

PokerTableRatings has discovered a critical flaw in the Cereus Poker software which affects both Absolute Poker and Ultimate Bet, allowing an attacker to hijack victim’s poker accounts and display their hole cards in real time. We have alerted the Cereus Network to this vulnerability, providing them with source code necessary to demonstrate the problem. We hope our e-mail and this bulletin are sufficient motivation for them to fix the problem.

It appears that this security hole allows your log-in/password info to be picked up by the hackers as well... so technically, your money could be stolen/transferred to another account or someone could log-in and play under your account.

I've included a few interesting snippets from the thread running on 2 Plus 2:

Nobody really knows who is writing code for the company now. The CTO of Excapsa started a subsidiary called RealTimeEdge several years ago which handled all programming and software updates. When Excapsa dissolved, this company was not included in the asset sale to Blast Off, though they did continue on in a support role for the new company; likely as a contractor.

Now, RTE is very busy because with the impending default of BO against the promissory note, Excapsa (now Aspacxe, seriously you cannot make this **** up) made a deal to take back the software IP which they have apparently been using to write/modify/or emulate in a new product/site called Spotlight poker which is set to be rolled out. Since RTE is a soon to be competitor to UB/AP along with the already contentious situation between the original company and the licensor/purchasor, its possible CEREUS doesn't really have much in the way of programming resources at all.

This is all very bad. Having said that, I will take the under that traffic doesn't drop more than 10% in the next month as rated by Pokersitescout. There is no shortage of people who play slots at rural tribal casinos when the yellowhammer guys will actually tell you the payouts are set in the mid 70 percent range. And for whatever inane reasons they give, people will continue to deposit and play poker at UB/AP along with vapid player reps and besotted management shills.

Statement from KGC (Kahnawake Gaming Commission)

The Commission has been advised of a security issue concerning the CEREUS poker network used by the Absolute Poker and Ultimate Bet poker sites. The issue concerns the mechanism used by CEREUS for network transmissions having a potential for player data to be improperly accessed under certain specific circumstances.

The Commission is actively reviewing this matter with senior management of Absolute Poker and Ultimate Bet and with its Approved Agents. The Commission will issue a further notice of its findings as soon as this review is completed. The Commission is monitoring immediate measures that are being taken to address the security issue and is advised that a more permanent solution is to be implemented on an urgent basis.

Based on information available at this time, it appears unlikely that player data was actually compromised. However, this possibility will be reviewed further and, if necessary, the Commission will direct that the appropriate remedial actions be taken. Until a solution to the security issue is fully implemented, the Commission recommends that players use caution when accessing the Absolute Poker or Ultimate Bet sites, in particular when using a public network (wired or wireless) or a private wireless network. For further information, please contact the Kahnawake Gaming Commission at [email protected]

Ultimatebet released the following statement on their blog:

Hello UB’ers,

One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network. For those of you not familiar with the issue, PTR was able to crack our local encryption method. I wanted to blog to make sure our players and the poker community know how seriously we take this issue.

I would like to start by reminding everyone that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into your local network in order to gain access to sensitive data. We are currently working on implementing a new encryption method and we expect to have it live in a matter of hours.

I would also like to say that I am very embarrassed and upset that this issue was not caught by our internal staff or through the countless audits we’ve been through this year and last year. We’ve invested a great deal of money into all types of security and I am very shocked that this was not identified by us or the many third party auditors we’ve employed.

Needless to say we plan to find new security resources and third parties to help us test this solution and make sure we provide you with the absolute best security that money can buy.

I would also like to thank PTR for identifying this issue and sharing it with us and the poker community.

We will continue to update you on this issue but we will not rest until it is fixed and as I stated earlier, we plan to have this issue resolved within a matter of hours.

Play well,

Paul Leggett

According to a number of software engineers, it is not possible to correct the issues within a few hours. I've quoted one comment from an engineer who posted on 2p2 regarding Paul Leggett's claims:

I'm a software engineer and my company was tasked with adding FIPS 140-2 encryption to our client-server application. It took us approximately 5-6 months to properly implement and test it. Admittedly, we had a small team of 4-5 developers, but having this done "within hours" of it being discovered by an outside source is laughable at best. Basically, what others have stated is accurate: If it is done within hours, it means it was already implemented and a switch was turned on once it was discovered. No chance that proper encryption can be implemented that fast.

Another poster pointed out the following concern with this vulnerability:

I think a point which is missed is that, while most people seem to be concerned about people seeing their hole cards, one of the benefits of SSL is that it prevents so-called "man in the middle attacks," by authenticating the server. Basically, by using SSL, when you login to Stars/FTP, you know you're talking with the Stars/FTP servers. With UB, not only is your password probably being transmitted with XOR, you actually don't even know if you're talking with the UB server.

To make matters worse, UB has the following information posted on their website:

“Our security and safety measures and procedures are constantly reviewed and updated to ensure that all our players have a safe place to enjoy?br />
We have a number of features to protect your privacy while you're playing at UltimateBet.

Our client software uses the certificates issued by our own Certificate Authority (CA) to authenticate our servers. UltimateBet software authenticates our servers by using the industry standard DES combined with AP's custom encryption algorithm.

Our client software uses a combination of DES and UltimateBet's custom algorithm for encryption. We use 256 bit encryption to ensure the highest level of privacy and confidentiality of data both to and from UltimateBet's servers.?br />
And on another page they have this contradictory and untrue claim since they obviously did not have SSL encryption installed!!

"UltimateBet is secure in the transfer of any information between our players and our UltimateBet servers. We use the internationally accepted industry standard SSLv3/TLSv1 encryption algorithm to protect your information as it transfers between our client application running on your computer and our servers.

So whether it is a credit card, your name, password, your cards, your personal address or any other private information, it is protected. Player cards are sent directly and exclusively to the individual player's computer without ever being susceptible to hacking."

Their checkered past:
Add the previous issues with Ultimatebet and Absolute Poker and you've got to wonder why this company continues to exist. They (Cereus) are currently ranked as the 8th largest (busiest) online poker network.

Recent 2p2 thread where players exposed a glitch that showed certain players' hole cards - Why can I see what people fold?

Absolute Cheats

The Absolute Poker Super User Scandal - Cliff Notes

Ultimate Bet Superusers and silence

The Potripper back story

KGC Fingers Russ Hamilton

UB Cheating Scandal

I blogged quite often during the UB Super User scandal - most posts can be found at this link:
UB Superuser Scandal

**dhayman** · 8 May 2010, 9:20 am

I hardly call this a scandal.....more like a software/encryption security vulnerability, if in fact, all of the above is true.

**thepokerkeep** · 8 May 2010, 9:56 am

Originally Posted by dhayman

I hardly call this a scandal.....more like a software/encryption security vulnerability, if in fact, all of the above is true.

Seriously?

This is the company that is supposed to be audited on an ongoing basis by top notch security companies (as ordered by KGC) as part of the conditions required for them to keep their license.

You don't see the scandal in this?

These so called audits by security specialists did not find the vulnerability. I would say that in itself is scandalous.

They claim

“Our security and safety measures and procedures are constantly reviewed and updated to ensure that all our players have a safe place to enjoy…

We have a number of features to protect your privacy while you're playing at UltimateBet.

Our client software uses the certificates issued by our own Certificate Authority (CA) to authenticate our servers. UltimateBet software authenticates our servers by using the industry standard DES combined with AP's custom encryption algorithm.

Our client software uses a combination of DES and UltimateBet's custom algorithm for encryption. We use 256 bit encryption to ensure the highest level of privacy and confidentiality of data both to and from UltimateBet's servers.”

Yet a hacker can break their encryption using a calculator! That's not scandalous?

Every other poker network uses SSL encryption, but they don't! They would rather rely on their own superior encryption software - did I mention that it can be hacked using a calculator.... Not scandalous?

This company should be bending over backwards to make sure they're squeaky clean. Yet, they continue to screw up!!

Why wasn't this vulnerability detected during one of their regular audits?

Why did it take PTR to out them on this vulnerability?

How will they be able to prove that no one ever took advantage of this "vulnerability" to cheat players?

As for whether it's true or not.... UB has issued a statement verifying that it is.

**Anthony** · 8 May 2010, 10:54 am

One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network. For those of you not familiar with the issue, PTR was able to crack our local encryption method. I wanted to blog to make sure our players and the poker community know how seriously we take this issue.

I would like to start by reminding everyone that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into your local network in order to gain access to sensitive data. We are currently working on implementing a new encryption method and we expect to have it live in a matter of hours.

If they can crack the software encryption, it is nothing to hack into a local network.

**thepokerkeep** · 8 May 2010, 11:58 am

Originally Posted by Anthony

If they can crack the software encryption, it is nothing to hack into a local network.

Exactly.

And they never even bothered to take the network off line once they became aware of the vulnerability. Player accounts were/are left open to hacking.

According to what I've read, it will take days or weeks to implement an SSL system and thoroughly test it.

All it would take is one unscrupulous employee, or ex-employee, to hack the system and they could conceivably steal millions from player accounts while this vulnerability remains open.

**fastermule poker** · 9 May 2010, 5:45 am

Originally Posted by dhayman

I hardly call this a scandal.....more like a software/encryption security vulnerability, if in fact, all of the above is true.

looooooooooooooooooooooooooooooooooooooooooooooooo ooooooooooooooool.

Thanks for making my morning. Usually the most ridiculous post I read all day is on 2+2.

This is clearly a scandal - thanks for the good analysis Keep.

**dhayman** · 9 May 2010, 8:00 am

Well guys/gals, being in the software industry, I beg to differ. On average, Microsoft discovers vulnerabilities in its multitude of operating systems, over 20 times per month. These vulnerabilities, if exploited, can result in all of your "personal" information being pilfered at the drop of a hat. Sure they have a vulnerability team that is busy at work trying to crack their own systems, but from my insider friends at MS, they say that many of them are actually fixed maybe 6 months after the fact. Oh yes, and this comes from the largest software company in the world, that most of us have a rather large personal investment in.

I agree that most vulnerabilities take time to discover, and even more time to remedy properly, so to state that it will be fixed in a day or two, is probably sheer lunacy, and probably some neophyte making a knee-jerk reaction statement. Unless, of course, UB has an SSL solution waiting on the shelf, and now the revelation of this problem is forcing them to roll it out pronto. I dunno.

A scandal, IMO, is something that is exploited, due to a known vulnerability, to make profit. It does not sound remotely like this. Whether those watchdogging the vulnerabilities should have come up with this, is an entirely different issue. FYI, most of Microsoft's vulnerabilities are discovered by people outside their organization, and not Microsoft themselves. Their are a lot of super-smart, devious hackers out there, that get their jollies from "breaking and entering".

I do agree with the posters that stated that the system should be shut down, until addressed properly. That would be the most prudent thing to do. Good job by those who discovered this weakness.

**fastermule poker** · 9 May 2010, 8:13 am

looool. What a well thought out way to defend the ridiculous.

Ask some security experts then since you seem to know so many insiders whether they think it is acceptable to run the system UB/AP are using... and if they would have signed off a security audit on Cereus.

Why you think such a massive and outright obvious security hole at a network which allowed the biggest cheating scandal in the history of online poker to happen is not a scandal I have no idea.

**thepokerkeep** · 9 May 2010, 9:55 am

If your bank used XOR encryption rather than the industry standard SSL protocol would you call that a scandal?

UB and AP handle millions of dollars in transactions (much like a bank) and XOR is the basis for the encryption system they chose to implement.

You can't seriously be comparing holes in Microsoft's software to a completely inadequate encryption system that is supposed to protect players identities and funds. Not to mention the potential for cheating.

And this failure of a security system has been in place at least as long as Cereus has been online, yet the so called auditors didn't notice they were using such an insecure system.

Come on!!

**Chips** · 9 May 2010, 10:15 am

Thanks for the info Terry, just another reason I do not promote either site and they remain on my blacklist. If I had a poker room that was exposed like ub/ap and I had to clean it up, I'd be damned sure to use the very best protection available.

To leave it up and running only proves the fact that Cereus is serious about jacking players. It's a shame that they continue to get in trouble and what's more, they players continue to dump cash into the site.

**dhayman** · 9 May 2010, 10:43 am

Originally Posted by thepokerkeep

If your bank used XOR encryption rather than the industry standard SSL protocol would you call that a scandal?

UB and AP handle millions of dollars in transactions (much like a bank) and XOR is the basis for the encryption system they chose to implement.

You can't seriously be comparing holes in Microsoft's software to a completely inadequate encryption system that is supposed to protect players identities and funds. Not to mention the potential for cheating.

And this failure of a security system has been in place at least as long as Cereus has been online, yet the so called auditors didn't notice they were using such an insecure system.

Come on!!

Wow, I'm getting beaten up here. Listen, I'm not trying to defend the lack of security here....I get all of your points on that. And I also understand that ignorance of a condition doesn't make it all right. And yes, shame on them for not implementing an SSL layer years ago. And yes, your are right, they do handle MM's of dollars a day, and yes, maybe they should have shut the system down, when this "hole" was discovered....I hear all of you on that. I'm not disagreeing on any of that.

All I think is that many of you are using your prior distrust of the brand (and perhaps rightly so), to make this is a "scandal". It is not a scandal in my eyes, until someone took advantage of the security holes purposefully to generate profit. Did this happen ? Has anyone heard of anything to that effect ? Do any of you think that that all of the big brands out there have teams and teams of programmers and security gurus that ensure that these systems are rock solid ? No way in hell. Their staffs are minimal compared to that of Microsoft and the regulated banks of the world. For the most part, this is still largely an unregulated industry, and is dwarfed in comparison to the banking sector or the software industry at large.

Believe me when I say it, you would cringe if you've heard some of the MS stories that I've heard, about holes in their OS's, that if had been exploited, could have brought the world to its knees. Yes, all the PC's of the world and simultaneously ! Worldwide business and commerce....we're talking about trillions a day here, not millions. And you're talking about the freekin' largest software company in the world, that has 10's of thousands of developers......not a tiny poker site that has maybe 5 developers, and an oversight board of maybe 2 or 3. You want to talk about real scandals, let's talk about High Frequency Trading, and what happened in the U.S. markets on Thursday between 2:40 PM and 3:00 PM EDT. That's a freekin' scandal !! Where the misuse of high-speed computers and non-coordination of meltdown shutoff triggers across electronic markets which caused instant evaporation of 1 Trillion dollars of wealth in less than 20 minutes....that's a scandal. Well, enough on this, I am totally digressing here.....

I'm not condoning what has happened here, but all I'm saying is that my definition of a "scandal" is radically different from yours. The term "scandal" is a relative concept; I think that's all I'm alluding to here. No scandal in my eyes until someone used this shortcoming to make or pilfer money. Did that potential exist, sure it did. Did it happen - to the best of my knowledge, no. Was any of this done purposely to scam players - no. I call it a "security vulnerability", you call it a "Scandal".

**fastermule poker** · 9 May 2010, 10:48 am

The real definition of scandal:
A publicized incident that brings about disgrace or offends the moral sensibilities of society
(source https://www.thefreedictionary.com/scandal)

It sure was public and it sure brought disgrace and it sure was morally unacceptable considering they particularly needed to close their security holes.

Your (alternative) definition of scandal:
Someone abusing the incident to make profit.

So you define scandal to mean using what the rest of us understand to be a scandal to make profit. Which is no doubt why you disagree with us since that's not what the word means

**Smoking** · 9 May 2010, 10:50 am

take any definetion of a Scandel you want:

A scandal is a widely publicized allegation or set of allegations that damages the reputation of an institution, individual or creed.[dubious – discuss] A scandal may be based on true or false allegations or a mixture of both.

A scandal a disgraceful or discreditable action, circumstance, etc. A controversy.

Now lets do cover up:

A cover-up is an attempt, whether successful or not, to conceal evidence of wrong-doing, error, incompetence or other embarrassing information. The expression is usually applied to people in authority who abuse their power to avoid or silence criticism. Those who cover up may be those responsible for a misdeed or their allies, or simply people with an interest in silencing criticism.

So maybe a cover up scandel ??

is the software fixed? they say it is

but in so little time???

**dhayman** · 9 May 2010, 10:59 am

So we've now come down to semantics

, on Mother's Day of all days, but my definition of scandal (as per Dictionary.com definition # 2):

"an offense caused by a fault or misdeed. " A "fault", in turn, is defined as "a defect or imperfection or flaw" (Yes, you win on that one !), and a misdeed is defined as "an immoral or wicked deed" (sorry, I can't see this situation falling under this one). I'm gonna call it a draw then, or a split-decision, semantics-wise.

In any event, the decisions here are real easy. Everyone has a choice to either play or not play there, and to promote or not promote them.

Happy Mother's Day to all the Mothers out there !

**thepokerkeep** · 9 May 2010, 11:43 am

It is not a scandal in my eyes, until someone took advantage of the security holes purposefully to generate profit. Did this happen ?

Ahhh, but how do you or I, or anyone else for that matter, know whether or not this vulnerability was exploited? There is no way to tell if someone was using the lack of proper encryption to view opponents hole cards. This flaw has been in existence for many months so it stands to reason someone has discovered and taken advantage of it.

We'll never know whether players have been cheated.... that's what makes this at least as disturbing as the super user scandal. No one will ever be compensated in this case.

is the software fixed? they say it is

but in so little time???

Short answer - no. There are still vulnerabilities. Although, the big "poker news sites" would have us think it is fixed. They have changed the password or encryption key or whatever the procedure is but they have not upgraded to SSL encryption at this time.

**dhayman** · 9 May 2010, 12:14 pm

Originally Posted by thepokerkeep

Ahhh, but how do you or I, or anyone else for that matter, know whether or not this vulnerability was exploited? There is no way to tell if someone was using the lack of proper encryption to view opponents hole cards. This flaw has been in existence for many months so it stands to reason someone has discovered and taken advantage of it.

We'll never know whether players have been cheated.... that's what makes this at least as disturbing as the super user scandal. No one will ever be compensated in this case.

Short answer - no. There are still vulnerabilities. Although, the big "poker news sites" would have us think it is fixed. They have changed the password or encryption key or whatever the procedure is but they have not upgraded to SSL encryption at this time.

Listen pokerkeep, the short answer is we don't know. And I hate to say it, since I do advocate the online Poker industry, but the bottom line is that we don't know with any of the brands out there. Who knows what really is going on with any of their servers, super-user accounts, bots, security, etc. We just don't know. The lack of true uniform and formal regulation and auditing makes the entire industry suspect, and there is certainly inherent risk by playing with money at any of these sites. The same can be said for the land-based casinos, lotteries, etc. We are told how secure they are, but are we in fact safe with any of these entities ? I am full-time day trader, and have seen inequities in the market since I began trading in 2002. I learned something new this past week concerning lack of coordinated electronic markets in highly volatile conditions, which was precipitated by HFT's. Did I know that this potentially existed prior to Thursday ? No, I did not. Thankfully, I wasn't effected by the busted trades that have been rolled back in a 20 minute span, but if this isn't a scandal, I don't know what is. Bottom line, is any of our money safe anywhere ??????? There are vulnerabilities and inequities in all systems, that you and I aren't even aware of. Granted some are worse than others, and like I said, I applaud those that revealed this specific vulnerability to the industry. Hopefully, it is addressed properly.

**bb1web** · 10 May 2010, 1:49 am

What remains a mystery to me is why people continue to support a place that regardless of what term you want to put on it ... has not made a professional effort to safeguard its customers.

Look no further than the ... I believe someone termed it the biggest online poker scandal ever, and it was obvious that regardless where the blame was to lie for the superuser accounts existing in the first place, it was the fact that the poker rooms tried to cover it up that is reason for turning your back on them.

And now this claiming things have been fixed in a matter of hours just sounds too much like covering up.

but again ... why the places have deserved a second chance when they were so obviously willing to throw the best interests of their customers to the wayside to protect their own better interests. Speaks all I ever need to hear.

**fastermule poker** · 10 May 2010, 6:34 am

Originally Posted by bb1web

What remains a mystery to me is why people continue to support a place that regardless of what term you want to put on it ... has not made a professional effort to safeguard its customers.

+1

Also:-

https://forumserver.twoplustwo.com/29...r-news-779387/

Was an interesting read. I felt like having a puke at how these 'news' sites covered the story. I'm too lazy to give cliffs but the chap in that thread went to each news site and summarised their coverage. Pretty sick.

**thepokerkeep** · 10 May 2010, 6:56 am

Here's a good explanation why this is more serious than most would like us to believe:

As a coder I can confirm this is a very big deal. The encryption method used is a complete joke and ridiculously easy to "crack" (it's not even really encryption in the sense you would expect it to mean, it's more like obfuscation).

The real danger from this comes not from someone hijacking your wireless network, which is what the article focused on and what statements from UB are focusing on, it's that someone who has access to an ISP backbone connection can now sniff for all traffic packets from UB routed through that location and can spy on pretty much anyone they want to. This is something that end users have zero control over of course and it doesn't matter how strong your own protection methods are, you are still at risk because this is a Fundamental Flaw in the software. I can't even fathom how incompetent these people are that they ignored extremely basic security standards.

Source

Like I keep repeating - this is very serious and could have been abused for months (years?) without being detected. There is absolutely no way to prove (or disprove) how much money was stolen from players.

**Caruso** · 10 May 2010, 7:47 am

Originally Posted by thepokerkeep

Add the previous issues with Ultimatebet and Absolute Poker and you've got to wonder why this company continues to exist. They (Cereus) are currently ranked as the 8th largest (busiest) online poker network.

The answer is the same as why people gamble online in the first place: they are retards. Without retards, there'd be no industry.

Forget AB / UB: the owners could be molesting children in the next room; their online gambling parents would still happily clickity-click away.

People still patronise UB / AP because they are retards. End of.

Useful info I'd have missed, as apart from the Microgaming scandals I don't follow poker. I'll contribute a write up.

Thread: Another Ultimatebet Scandal

LinkBack

Thread Tools

Search Thread

Display

Another Ultimatebet Scandal

The Following 3 Users Say Thank You to thepokerkeep For This Useful Post:

The Following User Says Thank You to Caruso For This Useful Post:

Tags for this Thread

Posting Permissions