Cereus - new software issue

jetset

RIP Brian
CAG
Joined
Feb 22, 2001
Location
Earth
CEREUS POKER UNDER THE SPOTLIGHT AGAIN

Software encryption issue claimed

The management at Cereus online poker network owners Tokwiro Enterprises must have groaned in dismay just before the weekend as news broke that a new software flaw had been uncovered at the network, comprised of the Absolute Poker and UltimateBet websites.

The two online poker sites have historically been the setting for online poker’s biggest cheating scandals (see previous InfoPowa reports) which cost Tokwiro millions of dollars in licensing jurisdiction fines and player compensation, and more on painstakingly rebuilding badly dented reputations.

The current issue was exposed by the information portal Poker Table Ratings and apparently has the potential to result in the possibility of a cheater ‘seizing’ control of a player’s account and seeing his or her hole cards.

PTR immediately went to press to warn players, at the same time passing on its information to Tokwiro. The portal additionally issued a “security alert” advising players not to play at AP/UB on grounds that Cereus was using XOR encryption rather than the poker industry standard SSL protocol for all network transmissions.

One notable difference in how the issue is being handled has become immediately apparent; gone is the past approach of denial, secrecy and procrastination. In its place, Paul Leggett as chief operating officer for Tokwiro immediately took the issue on board and started blogging.

This was what he had to say:

“One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network.

“For those of you not familiar with the issue, PTR was able to crack our local encryption method.

“I wanted to blog to make sure our players and the poker community know how seriously we take this issue.

“I would like to start by reminding everyone that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into your local network in order to gain access to sensitive [player gaming] data. We are currently working on implementing a new encryption method and we expect to have it live in a matter of hours.”

Leggett went on to comment that the revelations were embarrassing inasmuch as internal IT staff had not caught the flaw and neither had “the countless audits we’ve been through this year and last year.”

He assured readers that the company has spent a significant amount of money on all types of security since the AB and UB debacles, and has plans to invest in new security resources and third parties to test these to ensure that players are protected by the best security that money can buy.

Leggett publicly thanked Poker Table Ratings for exposing the encryption flaw.

“We will continue to update you on this issue but we will not rest until it is fixed and as I stated earlier, we plan to have this issue resolved within a matter of hours.”

A software update was issued a few hours later, and the firm promised the release of a more advanced solution using the Open SSL protocol, scheduled to be available in one week.

Leggett also immediately alerted the Cereus licensing jurisdiction – the Kahnawake Gaming Commission.

Leggett was immediately challenged by one poster who claimed: “It is completely untrue that someone would have to have local network access to take advantage of this, and that assertion is flat out wrong.

“Someone working for UB’s ISP could intercept ALL traffic coming into UB’s servers and use this exploit. The [gaming] data is vulnerable at EVERY hop between the user’s PC and the server.

“Your response is also unacceptable, by not immediately shutting down ALL games, you are allowing this vulnerability to persist on LIVE games while you fix it.”

Respected poker journo B.J. Nemath took a calmer view, noting that computer security takes many forms, and there are many different points of potential vulnerability.

“This exploit is completely different than the one allegedly used by Russ Hamilton [in the previous scandal] to see his opponent’s hole cards from anywhere in the world,” Nemath opined.

“Notice that in this exploit, you can only see hole cards for players on a locally-accessible network — in this test, the guy can only see his own hole cards. That’s because your opponents’ hole cards aren’t transmitted to your computer until the hand reaches showdown.

“But if you knew where your opponent lived, and had someone parked down the street “sniffing” his wireless network, that person could call you on his cellphone and tell you your opponents hole cards at the start of each and every hand.

“I’m not trying to lessen this issue - it’s a very big deal, and this security hole needs to be fixed ASAP.

“This seems to be a simple fix (with a short-term patch in less than 24 hours and a long-term fix coming in a week).”

It seems the AB/UB history will never be laid completely to rest; just last week the former editor of Poker News, Haley Hintze, published on her blog extensive findings and insider information on the historic scandals.

She continues to investigate (see previous InfoPowa report) the issues on suspicions of cover ups at the time, suggesting that Russ Hamilton may have been a scapegoat whilst others went free and unidentified.
 

Luckylizzy

Dormant account
Joined
Apr 28, 2010
Location
Orlando, Fl
This network just cant seem to pick up all the pieces... I cannot understand why they don't use SSL encryption technology instead of their own. If it can be hacked using a calculator than they sure could use an upgrade.

I wonder what eGOGRA will do to make sure they clean up their act. It makes me question if being accredited by them is proof of a safe site after all.
 

pokeraddict

Webmaster
Joined
Aug 3, 2002
Location
Las Vegas
From Haley's Poker Blog:

You do not have permission to view link Log in or register now.


There isn't a direct link afaik so you have to scroll about 2/3 of the way down. One would assume by reading this that there are serious financial troubles at AP/UB. Either that or some sort of dispute between the old and new UB.

Just Conjecturin', Volume 10: Defaults and Dividends, Chorus #2

Second verse, same as the first? Several readers have pointed out to me two recent public documents regarding entities connected to the Ultimate Bet -- UB.com these days -- online cheating scandal. The new documents involve the second suspension of monthly payments made by UB/AP purchaser Blast-Off Limited, which is just another name for Joe Norton's Tokwiro Enterprises ERNG, to the original UB owners Excapsa/6356059 Canada, Inc. these days. There are already whispers of shenanigans involved with these latest happenings, so we'll keep a close eye on what happens next. The complete documents are available here and here, but what the heck, I'll type them out so they can be re-read, click-free:

Document 1:

XMT Liquidations Inc.
1155, boul René-Lévesque ouest, bureau 2010
Montréal, Québec H3B 2J8

To: Shareholders of 6356095 Canada Inc. (formerly Excapsa Software Inc.)

From: XMT Liquidations, Inc. (its Court-appointed liquidator)

As you know, Blast Off Limited ("Blast Off") is indebted to 6356095 Canada Inc. (formerly known as Excapsa Software Inc.) in virtue of two Promissory Notes, each dated June 30th, 2009, in the respective amounts of US$41,900,000.00 and US$64,469,257.00.

On November 30th, 2009, Blast Off failed to make an instalment [sic] payment of US$500,000.00. In virtue of such default, the Liquidator, after consultation with the inspectors, and through its attorneys, sent a formal demand letter:

1) claiming payment of the sum of US$500,000.00;

2) advising Blast off that unlesss [sic] said default and all and any subsequent defaults were cured with the ninety (90) day-period allowed under the Promissory Notes, the entire amount of both Promissory Notes would become due and payable, and;

3) further advising Blast Off that the Liquidator intended to exercise all of its recourses to recover the sume due under the Promissory Notes, including the Liquidator's rights under the Malta Pledge, the CL Escrow Agreement and the DN Security Agreement.

Under the Malta Pledge, the shares in Blast Off are pledged as security for the Notes. Such shares are issued by Blast Off under the laws of Malta. Accordingly, the Liquidator has engaged legal counsel in Malta with a view, if necessary, to eventually exercising the security held over the Blast Off shares.

The Liquidator is also considering exercising its rights and remedies under the CL Escrow Agreement (in virtue of which the non-US customer base was placed in escrow as collateral security for the Notes) and the DN Security Agreement (in virtue of which certain domain names were given as collateral security).

The Liquidator will continue to update shareholders as developments occur.

The 90-day cure period expires on March 11, 2010. Prior to such time, shareholders are requested to keep the contents hereof confidential and not to disclose Blast Off's default or discuss same with anybody but another shareholder, or the Liquidator.

Dated this 26th day of January, 2010,

XMT Liquidations, Inc.
Per: (signed)
Sheldon W. Krakower, C.A.

So much for the initial notice. That was sent out to shareholders and negotiations with Blast Off commenced, with the following update (Document 2) coming just a few days back:

XMT Liquidations Inc.
1155, boul René-Lévesque ouest, bureau 2010
Montréal, Québec H3B 2J8

To: Shareholders of 6356095 Canada Inc. (formerly Excapsa Software Inc.)

From: XMT Liquidations, Inc. (its Court-appointed liquidator)

In our last communication dated January 26, 2010 (copy attached), we advised you of the suspension of payments by Blast Off Limited ("Blast Off") under the first Promissory Note and the onset of a 90-day cure expiring on March 11, 2010. Negotiations followed and culminated in an arrangement whereby Blast Off will pay US$1,150,000.00 to the Liquidator by monthly installments ending on May 31, 2010, of which U$450,000.00 has been received, plus an additional US$100,000.00 for costs due on June 15, 2010. The Liquidator has informed Blast Off that acceptance of any payments is not to be taken as a tacit forbearance, nor an acceptance, renunciation or waiver of any conditions, rights or obligations. Assuming that these payments are made on time and no other defaults occur under the Promissory Notes, the Liquidator does not intend to pursue any of its rights and remedies prior to June 1, 2010.

The US$1,150,000.00, together with the US$250,000.00 paid by Blast Off earlier this year, will cover the November and December 2009 monthly installments plus $400,000.00 on account of the January 2010 installment. This will leave arrears of $2,100,000.00 owing as of May 31, 2010 (i.e. $100,000.00 for January 2010 and $2,000,000.00 for February through May 2010). There is no agreement in place with Blast Off relating to payment of this sum and, failing an agreement, the Luquidator shall be entitled to exercise its rights and remedies under the Porimissory Notes and related security. The Liquidator anticipates further discussions with Blast Off and will continue to update shareholders as matters progress.

The Liquidator recently received a clearance certificate from Canada Revenue Agency authorizing a further distribution of up to $US10,000,000.00 to shareholders. The Liquidator hopes to make a distribution within the next 90 days, but will make this decision based upon the level of payments received and committed from Blast Off up to and following May 31, 2010.

Dates this 12th day of April, 2010,

XMT Liquidations, Inc.
Per: (signed)
Sheldon W. Krakower, C.A.

posted by Haley @ 9:23 AM
 

jetset

RIP Brian
CAG
Joined
Feb 22, 2001
Location
Earth
Closing note for this thread (now that the problem appears to have been fixed) comes from Daniel Negreanu's blog:

"I've spoken to, and only heard great things about their new guy Paul Leggett, but this is a pretty big deal in my book.

"Dude, if you knew about this security issue, why, why, oh why didn't you shut the site down immediately to fix it? I thought about that overnight, and couldn't think of even one good reason not to shut it down until the site was secured.

"Maybe I'm missing something, but I can't imagine what that would be."
 
Top