Two Plus Two Publishing LLC
Two Plus Two Publishing LLC
 

Go Back   Two Plus Two Poker Forums > > >

Notices

High Stakes PL/NL Discussions about high stakes pot-limit and no-limit hold'em (10-20 and up) Forum is closed; read only.

 
 
Thread Tools Display Modes
Old 05-06-2010, 07:15 PM   #1
Jul.Jack
grinder
 
Join Date: Nov 2008
Location: Montreal
Posts: 461
UB/AP (Cereus) doesn't encrypt it's data.

I have never posted in this forum and I wouldn't usually start a thread, but this is a very serious issue.

Disclaimer: The level of incompetence required from Cereus for such a security flaw to be real would be so great, I'm having a hard time believing that this is true. But until PTR's story has been disproved, I advise extreme caution.
https://forumserver.twoplustwo.com/29...curity-778002/
http://www.poker*table*ratings.com/b...poker-network/

Quote:
The issue in general terms is that rather than using industry standard SSL encryption Cereus has used a custom form of encoding (not encryption) which can be cracked using the windows calculator.
Quote:
Almost every poker network uses some implementation of the SSL protocol, which is the same type of security mechanism that everyone from banks to government agencies use to secure their data. There are several freely available implementations of this protocol including the open source OpenSSL . SSL is the industry standard, and is generally regarded as best practice for encrypting network transmissions.

The problem is that the Cereus Poker network does not use SSL to encrypt their communications; they use a custom form of encryption which is XOR-based. This form of encryption is known to be extremely weak, and in fact their particular implementation makes it particularly simple to decrypt network data due to an easily discoverable key.

In fact, the encryption that the Cereus Network employs isn’t so much encryption as it is encoding. To see how simple it is to decode this data, simply open up your windows calculator and set it on scientific mode. All that is really necessary to decode the data stream is the XOR button .
As a computer engineer, this is an extremely serious security flaw that shows a level of incompetence previously unheard of (even for UB).

DO NOT PLAY ON UB/AP. DO NOT LOG ON UB/AP. And if you do so, don't do it on any form of public network or wireless network with weak security and only do so to cash out your bankroll. This isn't about UB/AP being shady or having done wrong in the past. This is a very real and serious security issue.
Jul.Jack is offline  
Old 05-06-2010, 07:17 PM   #2
ArrrInnn
adept
 
Join Date: Aug 2009
Posts: 1,178
Re: UB/AP (Cereus) doesn't encrypt it's data.

so sick
ArrrInnn is offline  
Old 05-06-2010, 07:18 PM   #3
i think ill pass
grinder
 
i think ill pass's Avatar
 
Join Date: Mar 2010
Posts: 497
Re: UB/AP (Cereus) doesn't encrypt it's data.

What information is at risk of being decoded?
i think ill pass is offline  
Old 05-06-2010, 07:22 PM   #4
Jul.Jack
grinder
 
Join Date: Nov 2008
Location: Montreal
Posts: 461
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by i think ill pass View Post
What information is at risk of being decoded?
EVERYTHING.
Hole card in real time. Login/Password. Everything transmitted between your PC and Cereus' server.

There's a 4 minute video on PTR, watch it.
Jul.Jack is offline  
Old 05-06-2010, 07:26 PM   #5
SleeveOfWizard
veteran
 
SleeveOfWizard's Avatar
 
Join Date: Jan 2008
Location: Crushing
Posts: 2,550
Re: UB/AP (Cereus) doesn't encrypt it's data.

Blows my mind that they show this video in such great detail ****ing BEFORE it has been fixed in one way or another.
SleeveOfWizard is offline  
Old 05-06-2010, 07:27 PM   #6
ArrrInnn
adept
 
Join Date: Aug 2009
Posts: 1,178
Re: UB/AP (Cereus) doesn't encrypt it's data.

i have been logged in all day on ub on a wireless network just logged out what should i do?
ArrrInnn is offline  
Old 05-06-2010, 07:35 PM   #7
Sjors
banned
 
Sjors's Avatar
 
Join Date: Sep 2008
Posts: 623
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by ArrrInnn View Post
i have been logged in all day on ub on a wireless network just logged out what should i do?
feel ashamed you still play there
Sjors is offline  
Old 05-06-2010, 07:37 PM   #8
Baobhan-Sith
Pooh-Bah
 
Baobhan-Sith's Avatar
 
Join Date: Oct 2009
Posts: 4,284
Re: UB/AP (Cereus) doesn't encrypt it's data.

Ugh **** guess I'll have a break then ffs... this is unbelievable. Damn I don't want to move to FTP or some tiny room, omg what a beat. Thx for the warning RTR + OP.
Baobhan-Sith is offline  
Old 05-06-2010, 07:37 PM   #9
MatthewRyan
President of Upswingpoker
 
Join Date: Sep 2005
Posts: 5,998
Re: UB/AP (Cereus) doesn't encrypt it's data.

wow
MatthewRyan is offline  
Old 05-06-2010, 07:38 PM   #10
Jul.Jack
grinder
 
Join Date: Nov 2008
Location: Montreal
Posts: 461
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by SleeveOfWizard View Post
Blows my mind that they show this video in such great detail ****ing BEFORE it has been fixed in one way or another.
This video does not represent a security problem any more then their article simply stating that "UB doesn't use SSL but some form of XOR based encoding". PTR did a great job. Technically, they should've provided some time for Cereus to fix the problem, but considering the issue at hand and Cereus' track record, I can't blame them.

Quote:
Originally Posted by ArrrInnn View Post
i have been logged in all day on ub on a wireless network just logged out what should i do?
Nothing. The odds of actually having had your account compromised are extremely low. Just don't play there anymore until further news. (and you know, don't play there ever again)

Last edited by Jul.Jack; 05-06-2010 at 07:57 PM. Reason: spelling
Jul.Jack is offline  
Old 05-06-2010, 08:18 PM   #11
NoahSD
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,865
Re: UB/AP (Cereus) doesn't encrypt it's data.

For the record, this doesn't let anyone see your hole cards. They'd need to be either plugged into your network or be able to read traffic from your wireless network. So the odds of somebody using this to exploit you are pretty low in general. (The one time when I'd really be worried is when lots of poker players are in the same place using the same networks, like at big tournaments.)

It's still completely ridiculous that AP/UB were this incompetent and didn't follow basic industry standards.
NoahSD is offline  
Old 05-06-2010, 08:28 PM   #12
Syous
Carpal \'Tunnel
 
Syous's Avatar
 
Join Date: Jun 2007
Location: ploville
Posts: 6,907
Re: UB/AP (Cereus) doesn't encrypt it's data.

^^ what he said

the real issue is if you're playing poker on this network on an unsecured network i.e. airports.

According to the article, as long as u're on a secured network u're fine
Syous is offline  
Old 05-06-2010, 08:30 PM   #13
Jul.Jack
grinder
 
Join Date: Nov 2008
Location: Montreal
Posts: 461
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by Syous View Post
According to the article, as long as u're on a private secured network u're fine
FYP, kinda

Last edited by Jul.Jack; 05-06-2010 at 08:33 PM. Reason: Having a 100% secure network is harder then most people think.
Jul.Jack is offline  
Old 05-06-2010, 08:30 PM   #14
NoahSD
Is Right
 
NoahSD's Avatar
 
Join Date: Aug 2005
Posts: 18,865
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by Syous View Post
^^ what he said

the real issue is if you're playing poker on this network on an unsecured network i.e. airports.

According to the article, as long as u're on a secured network u're fine
That's not true:

Quote:
The biggest step a Cereus player can take to protect them is to simply stop playing on the Cereus Network until these issues have been resolved. There is no way of being 100% secure at the moment.
NoahSD is offline  
Old 05-06-2010, 08:36 PM   #15
jalexand42
Hypothetical Ubermonkey
 
jalexand42's Avatar
 
Join Date: Oct 2005
Location: Open Shoving My Range
Posts: 5,162
Re: UB/AP (Cereus) doesn't encrypt it's data.

LOL OMG @ THIS. As someone who has a ton of background in IT security, WOWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW.

This is SOO bad and SOO non standard, I almost suspect it was intentional to encrypt data in this manner.
jalexand42 is offline  
Old 05-06-2010, 08:39 PM   #16
jalexand42
Hypothetical Ubermonkey
 
jalexand42's Avatar
 
Join Date: Oct 2005
Location: Open Shoving My Range
Posts: 5,162
Re: UB/AP (Cereus) doesn't encrypt it's data.

Also, to be clear, if you are playing on UB right now after this vulnerability has been made public, some random talented IT guy that works for your ISP or ANY ISP up stream between you and UB could potentially sniff your traffic and hack you.

I believe in the video he stated they were using MD5 hashes, and that means that someone could have your password VERY quickly if they got your MD5 hash and brute forced it. Just wow.

Edit: If you are using the same passwords on UB that you use on other sites, I'd change the passwords on the OTHER sites IMMEDIATELY.
jalexand42 is offline  
Old 05-06-2010, 08:44 PM   #17
oldjude
Pooh-Bah
 
oldjude's Avatar
 
Join Date: Sep 2008
Location: Zoom
Posts: 4,254
Re: UB/AP (Cereus) doesn't encrypt it's data.

AHEM xbl***. glad ive never played on ub an i damn sure never will.
oldjude is offline  
Old 05-06-2010, 08:52 PM   #18
tcorbin16
Carpal \'Tunnel
 
Join Date: Mar 2006
Location: thou shalt never fold
Posts: 6,748
Re: UB/AP (Cereus) doesn't encrypt it's data.

wooooooowwwwwwwwwww. REAL COOL WAY TO GET CHEATED OUTTA 200k+

**** YOU UB. **** u xblin*.
tcorbin16 is offline  
Old 05-06-2010, 08:56 PM   #19
Clayton
Carpal \'Tunnel
 
Clayton's Avatar
 
Join Date: Oct 2004
Location: San Diego
Posts: 30,846
Re: UB/AP (Cereus) doesn't encrypt it's data.

Looks like Xblink had a lot of friends working for ISPs, huh
Clayton is offline  
Old 05-06-2010, 09:01 PM   #20
spadebidder
Actually Shows Proof
 
spadebidder's Avatar
 
Join Date: Aug 2008
Location: This looks interesting.
Posts: 7,906
Re: UB/AP (Cereus) doesn't encrypt it's data.

Now that this has been published, every part-time poker player working for a backbone ISP carrying Cereus traffic is going to fire up their packet sniffer and try to hack it. I anticipate a software update in 24-48 hours if it's true. It's simple to wrap their protocol in SSL.
spadebidder is offline  
Old 05-06-2010, 09:08 PM   #21
Percula
Pooh-Bah
 
Percula's Avatar
 
Join Date: Jun 2004
Location: Phoenix
Posts: 4,159
Re: UB/AP (Cereus) doesn't encrypt it's data.

Also be careful on cable modem networks. It used to be very common for cable ISP networks to be built in such a way as to allow one customer to see another customers traffic in the same small geographic area. (For the IT geeks... think hub versus switch on the cable node in your area)

If you do not know if your cable ISP uses a shared network or not, opt for the safe solution of not playing.
Percula is offline  
Old 05-06-2010, 10:48 PM   #22
NLfool
banned
 
Join Date: Jul 2003
Posts: 3,092
Re: UB/AP (Cereus) doesn't encrypt it's data.

Quote:
Originally Posted by NoahSD View Post
(The one time when I'd really be worried is when lots of poker players are in the same place using the same networks, like at big tournaments.)
.
this is how I've heard people in Commerce, Aruba, LV got hacked.
NLfool is offline  
Old 05-06-2010, 10:53 PM   #23
Actionjunkie
adept
 
Join Date: Mar 2010
Posts: 1,032
Re: UB/AP (Cereus) doesn't encrypt it's data.

At some point don't people deserve to get robbed if they play at AP/UB??
Actionjunkie is offline  
Old 05-06-2010, 11:12 PM   #24
PBJaxx
2010 WSOP November 9er
 
PBJaxx's Avatar
 
Join Date: Jan 2006
Posts: 4,330
Re: UB/AP (Cereus) doesn't encrypt it's data.

Wow.
PBJaxx is offline  
Old 05-06-2010, 11:41 PM   #25
skelm
veteran
 
skelm's Avatar
 
Join Date: Dec 2006
Location: Brisbane, Australia
Posts: 3,449
Re: UB/AP (Cereus) doesn't encrypt it's data.

Wow, just wow.
skelm is offline  

 
      

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Forum Jump


All times are GMT -4. The time now is 12:14 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright © 2008-2017, Two Plus Two Interactive
 
 
Poker Players - Streaming Live Online