Table Finder
This article serves as a companion article to the security advisory PTR has released which is viewable at: PTR Security Advisory: Cereus Poker Uses Weak Encryption. It is intended to explain the severity and implications of this security risk to the broader non technical poker playing audience.
Overview
PokerTableRatings has discovered a critical flaw in the Cereus Poker software which affects both Absolute Poker and Ultimate Bet, allowing an attacker to hijack victim’s poker accounts and display their hole cards in real time. We have alerted the Cereus Network to this vulnerability, providing them with source code necessary to demonstrate the problem. We hope our e-mail and this bulletin are sufficient motivation for them to fix the problem.
We have no way of knowing if this exploit has been discovered and used to steal from Cereus users, but it seems unlikely. It is our hope that this information will allow Cereus users to protect themselves.
The issue in general terms is that rather than using industry standard SSL encryption Cereus has used a custom form of encoding (not encryption) which can be cracked using the windows calculator.
For interested readers we’ve explained the vulnerability in as non technical of a manner as we could below, otherwise you can skip ahead to the section entitled “Risk Levels for Players.”
Cereus Poker has responded to our communications with them about this issue. You can view these communications here.
Proof of Concept
Explanation
When logging into a poker client on your PC what is actually happening behind the scenes is a connection is established to the servers owned and operated by the poker network. This connection is used to transmit all data between your PC and the servers, including sending your username and password, betting actions, and your hole cards.
This can be thought of as a conversation between your computer and the poker network, which might go something like:
PC: I’d like to play poker my username is bob and my password is 123456
Server: You are logged in
Or:
Server: A new hand has started at your Table 1
PC: Ok
Server: Your hole cards for Table 1 are Ac Jh
PC: Ok
On all poker networks this data is encrypted in a manner that would prevent any intercepted data from being used to gain access to your account, or steal your hole cards. This means essentially that the conversation is obscured to prevent eavesdropping, so that someone listening in cannot “hear” your password.
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data. There are several freely available implementations of this protocol including the open source OpenSSL . SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.
The problem is that the Cereus Poker network does not use SSL to encrypt their communications; they use a custom form of encryption which is XOR-based. This form of encryption is known to be extremely weak, and in fact their particular implementation makes it particularly simple to decrypt network data due to an easily discoverable key.
In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
The requirement for this vulnerability to be exploited is network access. This means that if you are playing on an open wireless network, a cracked wireless network (something which is increasingly simple to do), or on a physical network which has been compromised – an attacker could dump the network traffic and exploit this vulnerability maliciously.
Implications
The implications of this vulnerability are that Cereus Poker accounts can be compromised and have their funds stolen and that an attacker could know the hole cards a Cereus Poker player is dealt in real time, then presumably exploit this knowledge to have an advantage against them at the poker tables.
This attack can either be directed, in which a person who is known to play on the Cereus Network is targeted and exploited – or passive in which an entire network’s traffic is logged and communications to the Cereus Network servers are decrypted.
Wireless networks are particularly exploitable due to the ease with which they can be compromised without having physical access, only proximity to the victim. Indeed in many cases they won’t even need to be compromised because the wireless network is not encrypted.
Physical networks are also vulnerable to a variety of attacks, especially if the physical network is on a hub (instead of a switch) which allows an attacker to passively observe all network traffic. However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers. They are also vulnerable to an ARP cache attack which can fool their PC into sending all network packets to an attacker’s PC which would then transparently relay the information to the router – resulting in uninterrupted internet access for the victim.
Testing
In our lab, using a dummy cracked wireless network, we’ve been able to successfully hijack our own test poker accounts without being connected to the network the test victim is playing on. We’ve also been able to observe hole cards as they were dealt in real time from a test victim, using the same mechanisms.
All of our tests were done in a lab environment, using cheap commercial grade hardware. There is some custom software involved in actually logging in a hijacked account, and decrypting the hole cards. The source for all of the testing totals less than 500 lines. The wireless network cracking and snooping was done using freely available open source software.
Risks Levels for Players
The below chart attempts to quantify the level of risk a player has of being victimized in each type of networking scenario.
| Network Type | Risk Level |
|---|---|
| Public Unsecured Wireless | Severe |
| Public Secured Wireless | Moderate-High |
| Public Wired | Moderate |
| Home Unsecured Wireless | Moderate |
| Home Secured Wireless | Moderate-Low |
| Home Wired | Low |
Examples:
- Unknown wireless network in college dorm called “Linksys”
-
- Public Unsecured Wireless
-
- Severe Risk
- Starbucks or airport wireless, requiring login
-
- Public Secured Wireless
-
- Moderate-High Risk
- School computer lab, plugged in
-
- Public Wired
-
- Moderate Risk
- Home wireless network called “Linksys” or “netgear” not requiring key or using WEP key (10, 26, or 58 digit hexadecimal number sometimes generated from a user passphrase)
-
- Home Unsecured Wireless
-
- Moderate Risk
- Home wireless network requiring WPA2 key
-
- Home Secured Wireless
-
- Moderate-Low Risk
- Home wired network
-
- Low risk
*It is worth mentioning here that a player who can be specifically targeted is at an unquantifiable but elevated level of risk.
Suggestions for Players
The biggest step a Cereus player can take to protect them is to simply stop playing on the Cereus Network until these issues have been resolved. There is no way of being 100% secure at the moment. The below suggestions are precautionary and are no way guaranteed to prevent exploitation.
If a player chooses to continue playing on the Cereus Network while the network is still vulnerable, they should at minimum plug directly into their modem. This will prevent anyone on the network from exploiting them. If a wired network is not an option, the player should make absolutely sure their network is encrypted using WPA2 encryption.
We absolutely advise against playing on any unknown or public networks –especially wireless networks.
We also recommend against a player revealing that they play on the Cereus Network until these issues are resolved, so as to avoid making themselves a target.
Suggestions for Cereus Network
In order to properly resolve these vulnerabilities the Cereus Network should upgrade all of their network communications to use the industry standard OpenSSL library which is freely available at http://www.openssl.org/. When implementing the SSL changes you should be sure to validate your peer certificate so as to prevent an SSL man-in-the-middle attack.
We would also recommend that the Cereus Network undergo a real and impartial security audit. We’re happy to lend a hand in whatever way we can in this regard.
Synopsis
In summary, there is a critical vulnerability in the Cereus Network software which makes it possible for an attacker to hijack poker accounts and view hole cards. The only 100% protection is to stop playing on Cereus Network until they upgrade to using SSL. To our knowledge there are no cases of this vulnerability being used to exploit actual players. PokerTableRatings.com created test accounts for all proof of concept testing done during the discovery of this vulnerability. We do not have passwords to any unauthorized user accounts. The Cereus Network has been notified of this vulnerability. We will continue to report on this as it develops.
Update 2010-05-06: Cereus poker has responded and appears to be taking these flaws seriously, read response here: http://www.pokertableratings.com/blog/2010/05/cereus-poker-security-response/
Tags: SSL
K
5
So if i understand this correctly somebody has to be in range of another person playing at these sites in order for this exploit to work? I dont see how anyone can use this exploit than unless they know exactly if someone in their neighbourhood is playing at these sites and knows when they play. And even than most players play at 6 tables or full ring tables. you would still not know what all the other players where having for cards. Also these sites can track someone who is dumping money what something like this would look like if you constantly loose without winning a single hand against someone else.
@qwerty
you don’t understand it correctly, read again
I know UB has had a checkered past with security, but I think I need to call out PTR on this one. Playing at home on a WPA2 secured network is a moderate-low risk? Total rubbish. Forget WPA being compromised, yes it’s possible, but somebody with the knowledge and equipment to do it has bigger fish to fry than some suburban house, those people target large banks and are interested in trade secrets and credit card numbers, not $100 in a poker account.
If someone has access to your home network they either broke your WEP encryption or they infected a comp on your home network with some malware from the internet. The people capable of breaking wireless encryption are few and far between. Yes it’s fairly straightforward, but not many people are willing to spend the time and effort to learn how to do it and get the necessary equipment. So you can write that one off(although you should be using WPA as it’s easier to use as well as being more secure).
If your comp has malware, everything on it is compromised already, web banking, online shopping, they probably already have your credit card details, who cares about your poker account? A keylogger will get your login details and a simple app like vnc will get your holecards in realtime no problem.
If you run a wireless network with no encryption at home then you are foolish, but tbh you would also have to live next to someone with good knowledge of networking theory. ‘Some guy next door’ isn’t going to cut it. This exploit is simple if you know about TCP/IP and wireless packet sniffing and be malicious. Most hackers are just fooling around, not looking to cause trouble, and even then, they are very rare. Having said all that, _all_ wireless networks you control should be running on WPA unless you have a very good reason, a good enough reason to warrant having your identity stolen.
The fact is, many things are vulnerable if your network is compromised. It’s quite easy to fool a user into giving you his login for most websites/forums etc… once you have local network access. Also, it’s a lot easier to then compromise his/her machine with malware, at which point it’s game over as I mentioned above, bypassing the need for a fancy vulnerability like above.
This vulnerability is only a problem for people who feel the need to log into sensitive accounts on open public networks. Would you feel comfortable doing web banking on an airport’s wireless network? The risk is similar to this vulnerability above in that you shouldn’t use/login to important stuff on open networks, it comes down to common sense. If you don’t have common sense, this vulnerability is a problem for you, if you do exercise common sense then you have nothing to worry about.
As for “However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers.” it takes the bisciut. Clearly just trying to scare people with little knowledge of computers. Yes this is true, but unless you can walk into a major ISP which happens to carry all of the victims traffic(very unlikely) and jack into their core routers and then run packet filtering software and feel you can get away with it then you have nothing to worry about. The core of the internet is pretty safe from eavesdropping, partly because there is so much traffic so you need expensive hardware to filter packets and partly because you can’t just jack into core routers, they are behind locked doors. Your home network is the point of failure, you can safely assume the internet itself is secure from eavesdropping.
In a nut shell, this exploit poses the same threat as having your identity stolen online. If your home network is compromised, so many other things are already fucked you won’t care about your UB account. You probably won’t be able to use your computer anyway because it will be riddled with spamming software.
Props on finding this vulnerability, but the scaremongering is fairly unacceptable. It isn’t a major problem, it really only affects a very small minority of cases where people are being stupid and a pretty knowledgeable hacker just happens to be very close by.
Before anyone asks, I’m not affiliated with Cereus. Even if I were, everything I just said is true, look it up yourself. I just know a little about wireless and wired network security and when I see scaremongering of non-technical users.
Teflon19, you should post this on 2+2 in the News Views and Gossip thread. Maybe quell the hysteria a bit.
If they were passing your hole cards and login information in plain text, would you be a little more concerned? Well the cypher method they are using is only slightly better than plain text. The bottom line is that absolute and UB made all these claims about how secure their software is, but yet they don’t even implement SSL which is the internet standard. If any online banking site did not use SSL, it would be laughable. This is no different.
Have to agree with JohnAnthony. OK it might be hard for someone to hack in or whatever, I don’t even understand or care to understand what you have to do to see someones hole cards. What I do know is it seems easier to do it at AP and UB than any other site, as all other sites use the same security as online banks use. One would think after all the cheating scandals these sites have been involved in they would use the industry standard security at a minimum. Teflon says a run of the mill type person can’t access or use this security flaw and is probably right, but the superusers that used to work at these sites weren’t just everyday people either. Is this just another way for employees or owners to cheat? Who knows, but you would be very naive to rule it out. I would expect cash outs to be slow for a while.
PTR, stick to datamining.
@ Teflon
Really isn’t a major problem??? Are you serious? You left some things out of your “expert” analysis. How bout internal employees/contractors/vendors that already have access to the Cereus networks? Wasn’t it an internal employee who exposed the AP flaw a couple of years ago? How about the security of the rest of the Cereus network infrastructure, if they made a mistake like this (assuming it wasn’t done on purpose) what else did they screw up. To think that this is not an issue is naive, the fact that you would come make a post like this means you are either someone who really doesn’t have a good understanding of security concepts or you work for AP/UB. High stakes on AP/UB will be dead after this for good reason.
Absolute BS on PTR’s part, its a remote security issue and they post it on the FRONT FING PAGE to make themselves look good at the expense of Cereus. Pret Uncool
“Your home network is the point of failure, you can safely assume the internet itself is secure from eavesdropping.”
This made me laugh. If the internet is so safe then why do we have encryption at all? Hey lets all do our banking on non-secure sites because the internet is safe…
“As for “However a physical network can also be compromised by any network hops between a victims’s PC and the Cereus servers.” it takes the bisciut. Clearly just trying to scare people with little knowledge of computers. Yes this is true, but unless you can walk into a major ISP which happens to carry all of the victims traffic(very unlikely) and jack into their core routers and then run packet filtering software and feel you can get away with it then you have nothing to worry about.”
So what about all the hops on the Cereus physical network? Wouldn’t this be an attack vector as well? And the one that posses the most risk? If I was a hacker with criminal intent why would I try and compromise my neighbors machine and see 1 guy’s hole cards when I could potentially compromise the Cereus network and own everyone. Wait let me guess, Cereus does a great job at securing it’s network right? Wasn’t this the attack vector that was used when the AP internal employee used a flaw to win over $400K in a few months?
xblink tho
With all thats happened with AP/UB why is this site still running? It should be shut down!
The point bing that they have had problems before. Why the heck would they pull this kind of stuff again. It is good information no matter. If you are serious about your online poker you should be concerned about this type of problem.
THE TRUTH IS THIS ONLINE POKER AT ANY STAKE IS NOT REALLY SAFE,AND THOSE OF YOU THAT THINK TILT AND STARS ARE 100% SAFE, NEED TO WAKE UP THAT IF IT CAN HAPPEN AT ONE SITE IT EASILY HAPPEN AT ANOTHER. nOT AN IT TECH HERE BUT THERE ARE WAYS OF CRUMPTING SOFTWARE TO GAIN AN ADVANTAGE, AND ANYBODY WITH A SUPER USER ACCOUNT AND DON’T THINK THEY DON’T EXIST BECUSE THEY CLEARLY DO, JUST THERE NOT STUIPED ANY MORE AND WON;T HAVE LIKE 500K IN ONE ACCOUNT AND TAKE THE PROS NIGHT AND DAY. THEY PLAY LOW LIMTS OVER A 1K SN’S AND BLEED IDIOTS AND DONKS THAT WON’T KNOW ANYBETTER,,, WORD TO THE WISE YOU HAVE BEEN WARNED
Has this been checked on other sites such as Fulltilt PS etc?
Fact is if you play online, you are getting scammed …and ripped off in some way
@ teflon19. You either have no money or you are on heroin! That was the dumbest analysis i have ever seen. Either way you should such your mouth
OK, this is definitely a vulnerability, although SSL is not the ultimate answer, as an SSL man in the middle attack is just as do-able on the same LAN as the poker user .. a lot of noise has been made of this (as it probably should) although I don’t think everyone understands that it’s *only* if your actually on the same LAN and also that SSL isn’t a magic bullet to solve this .. the real issue is people protecting their wireless and wired LANs, not a massive CEREUS-only issue, to be fair to CEREUS. With proper hardware and SSL MITM tools, any of the other Poker systems could be hacked in a similar way. I’m sure it brought you boys lots of traffic though :)
[...] management squads. We learned about a new software platform designed from the ground up based on poor security considerations. Kind of a faux pas after you send the COO out to trumpet how all considerations going forward will [...]
[...] Pokertableratings entdeckte im Mai diesen Jahres eine Sicherheitslücke im Cereus Netzwerk und veröffnetlichte auf Youtube ein Video, dass den Missbrauch durch einen Superuser zeigt. Ursächlich scheint ein Problem bei der Datenverschlüsselung zu sein, die bei Cereus offenbar nicht über den Industrie-Standard Secure Sockets Layer (SSL) erfolgt. Ob diese Lücke mittlerweile geschlossen wurde, ist nicht bekannt. [...]
World Economy…
[...]PTR Security Alert: Cereus Poker Network | PokerTableRatings.com Blog[...]…
credite nevoi personale…
[...]PTR Security Alert: Cereus Poker Network | PokerTableRatings.com Blog[...]…
premium accounts,freepremiumaccounts…
[...]PTR Security Alert: Cereus Poker Network | PokerTableRatings.com Blog[...]…
studentcards…
[...]PTR Security Alert: Cereus Poker Network | PokerTableRatings.com Blog[...]…