Nothing Special   »   [go: up one dir, main page]

Open Side Menu Go to the Top

05-06-2010 , 07:15 PM
I have never posted in this forum and I wouldn't usually start a thread, but this is a very serious issue.

Disclaimer: The level of incompetence required from Cereus for such a security flaw to be real would be so great, I'm having a hard time believing that this is true. But until PTR's story has been disproved, I advise extreme caution.
http://forumserver.twoplustwo.com/29...curity-778002/
http://www.poker*table*ratings.com/b...poker-network/

Quote:
The issue in general terms is that rather than using industry standard SSL encryption Cereus has used a custom form of encoding (not encryption) which can be cracked using the windows calculator.
Quote:
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data. There are several freely available implementations of this protocol including the open source OpenSSL . SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.

The problem is that the Cereus Poker network does not use SSL to encrypt their communications; they use a custom form of encryption which is XOR-based. This form of encryption is known to be extremely weak, and in fact their particular implementation makes it particularly simple to decrypt network data due to an easily discoverable key.

In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
As a computer engineer, this is an extremely serious security flaw that shows a level of incompetence previously unheard of (even for UB).

DO NOT PLAY ON UB/AP. DO NOT LOG ON UB/AP. And if you do so, don't do it on any form of public network or wireless network with weak security and only do so to cash out your bankroll. This isn't about UB/AP being shady or having done wrong in the past. This is a very real and serious security issue.
05-06-2010 , 07:17 PM
so sick
05-06-2010 , 07:18 PM
What information is at risk of being decoded?
05-06-2010 , 07:22 PM
Quote:
Originally Posted by i think ill pass
What information is at risk of being decoded?
EVERYTHING.
Hole card in real time. Login/Password. Everything transmitted between your PC and Cereus' server.

There's a 4 minute video on PTR, watch it.
05-06-2010 , 07:26 PM
Blows my mind that they show this video in such great detail ****ing BEFORE it has been fixed in one way or another.
05-06-2010 , 07:27 PM
i have been logged in all day on ub on a wireless network just logged out what should i do?
05-06-2010 , 07:35 PM
Quote:
Originally Posted by ArrrInnn
i have been logged in all day on ub on a wireless network just logged out what should i do?
feel ashamed you still play there
05-06-2010 , 07:37 PM
Ugh **** guess I'll have a break then ffs... this is unbelievable. Damn I don't want to move to FTP or some tiny room, omg what a beat. Thx for the warning RTR + OP.
05-06-2010 , 07:37 PM
wow
05-06-2010 , 07:38 PM
Quote:
Originally Posted by SleeveOfWizard
Blows my mind that they show this video in such great detail ****ing BEFORE it has been fixed in one way or another.
This video does not represent a security problem any more then their article simply stating that "UB doesn't use SSL but some form of XOR based encoding". PTR did a great job. Technically, they should've provided some time for Cereus to fix the problem, but considering the issue at hand and Cereus' track record, I can't blame them.

Quote:
Originally Posted by ArrrInnn
i have been logged in all day on ub on a wireless network just logged out what should i do?
Nothing. The odds of actually having had your account compromised are extremely low. Just don't play there anymore until further news. (and you know, don't play there ever again)

Last edited by Jul.Jack; 05-06-2010 at 07:57 PM. Reason: spelling
05-06-2010 , 08:18 PM
For the record, this doesn't let anyone see your hole cards. They'd need to be either plugged into your network or be able to read traffic from your wireless network. So the odds of somebody using this to exploit you are pretty low in general. (The one time when I'd really be worried is when lots of poker players are in the same place using the same networks, like at big tournaments.)

It's still completely ridiculous that AP/UB were this incompetent and didn't follow basic industry standards.
05-06-2010 , 08:28 PM
^^ what he said

the real issue is if you're playing poker on this network on an unsecured network i.e. airports.

According to the article, as long as u're on a secured network u're fine
05-06-2010 , 08:30 PM
Quote:
Originally Posted by Syous
According to the article, as long as u're on a private secured network u're fine
FYP, kinda

Last edited by Jul.Jack; 05-06-2010 at 08:33 PM. Reason: Having a 100% secure network is harder then most people think.
05-06-2010 , 08:30 PM
Quote:
Originally Posted by Syous
^^ what he said

the real issue is if you're playing poker on this network on an unsecured network i.e. airports.

According to the article, as long as u're on a secured network u're fine
That's not true:

Quote:
The biggest step a Cereus player can take to protect them is to simply stop playing on the Cereus Network until these issues have been resolved. There is no way of being 100% secure at the moment.
05-06-2010 , 08:36 PM
LOL OMG @ THIS. As someone who has a ton of background in IT security, WOWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW.

This is SOO bad and SOO non standard, I almost suspect it was intentional to encrypt data in this manner.
05-06-2010 , 08:39 PM
Also, to be clear, if you are playing on UB right now after this vulnerability has been made public, some random talented IT guy that works for your ISP or ANY ISP up stream between you and UB could potentially sniff your traffic and hack you.

I believe in the video he stated they were using MD5 hashes, and that means that someone could have your password VERY quickly if they got your MD5 hash and brute forced it. Just wow.

Edit: If you are using the same passwords on UB that you use on other sites, I'd change the passwords on the OTHER sites IMMEDIATELY.
05-06-2010 , 08:44 PM
AHEM xbl***. glad ive never played on ub an i damn sure never will.
05-06-2010 , 08:52 PM
wooooooowwwwwwwwwww. REAL COOL WAY TO GET CHEATED OUTTA 200k+

**** YOU UB. **** u xblin*.
05-06-2010 , 08:56 PM
Looks like Xblink had a lot of friends working for ISPs, huh
05-06-2010 , 09:01 PM
Now that this has been published, every part-time poker player working for a backbone ISP carrying Cereus traffic is going to fire up their packet sniffer and try to hack it. I anticipate a software update in 24-48 hours if it's true. It's simple to wrap their protocol in SSL.
05-06-2010 , 09:08 PM
Also be careful on cable modem networks. It used to be very common for cable ISP networks to be built in such a way as to allow one customer to see another customers traffic in the same small geographic area. (For the IT geeks... think hub versus switch on the cable node in your area)

If you do not know if your cable ISP uses a shared network or not, opt for the safe solution of not playing.
05-06-2010 , 10:48 PM
Quote:
Originally Posted by NoahSD
(The one time when I'd really be worried is when lots of poker players are in the same place using the same networks, like at big tournaments.)
.
this is how I've heard people in Commerce, Aruba, LV got hacked.
05-06-2010 , 10:53 PM
At some point don't people deserve to get robbed if they play at AP/UB??
05-06-2010 , 11:12 PM
Wow.
05-06-2010 , 11:41 PM
Wow, just wow.

      
m