Home-game hotshot Aaron Todd was an editor/writer at Casino City for nearly eight years, and is currently the Assistant Director of Athletics for Communications and Marketing at St. Lawrence University, his alma mater. While he is happy to play Texas Hold'em, he'd rather mix it up and play Omaha Hi/Lo, Razz, Deuce-to-Seven Triple Draw, and Badugi.More articles by Aaron Todd
Security hole closed at UB, Absolute Poker
18 May 2010
By Aaron Todd
Tokwiro Enterprises, the owner of the CEREUS Poker Network, announced that it upgraded the security protocol for Absolute Poker and UB.com to include OpenSSL encryption for client-server communications in a press release last night. The announcement comes 11 days after a serious flaw in the network's security system was discovered and revealed by the operators of the Web site PokerTableRatings.com (PTR).
Absolute Poker and UB are the only poker rooms that operate on the CEREUS network, which is the third-largest Internet poker network that accepts U.S. players.
"Our priority is our players, and providing them with a secure online poker environment," Tokwiro Chief Operating Officer Paul Leggett said in a statement. "The implementation of the OpenSSL standard achieves this for our players, and we will continue to conduct rigorous verification tests and submit to third party audits to ensure our entire operation is secure."The flaw was revealed on May 6 by PTR
, a Web site that scrapes hand histories on roughly half a dozen poker networks and allows players to search ring game
results to determine if players have a history of winning or losing. The site includes a five-minute video showing how players' hole cards
and log-in information could be intercepted on wireless networks.
"Wireless networks are particularly exploitable due to the ease with which they can be compromised without having physical access," the site explained. "Indeed in many cases they won't even need to be compromised because the wireless network is not encrypted."
The security hole caused a PR nightmare for UB, which was rocked by a cheating scandal two years ago when several players had access to "superuser" accounts and could see other the other players' hole cards. Internet poker forum posters immediately linked the two incidents.
"Fool me once shame on you, fool me four or more times shame on me," wrote ezdonkey on the twoplustwo.com forums. "I can't help but wonder why people still play there."
Leggett responded to PTR immediately, saying he expected to have a solution to the problem "in a matter of hours." The next day, on both the Absolute Poker and UB blogs, Leggett stated that the problem had been fixed by "implementing a more advanced multi-layer encryption" and that an OpenSSL solution would be live in a week.
Many players were angry that the sites continued to run games despite the weaknesses in the network's security.
"Can you explain why the site was not shut down last night when you were aware of the problem instead of leaving a security issue to be ignored until this morning?" wrote SusieQue on the UB.com blog.
"We did consider shutting down Cereus temporarily," wrote UBMarketing in response. "However, we knew we could roll out a new solution in a matter of hours and we saw the threat of someone developing a hack to exploit this vulnerability, within that time frame, very unlikely."
While the upgrade made it harder, it did not make it impossible. An upgrade to an OpenSSL solution was made eight days later that closed the security gap for hole cards, but players' login information could still be hijacked using the same methods outlined by PTR. On May 16, OpenSSL security was implemented across the entire site, and PTR acknowledged that "the biggest problems have been addressed."
The security problems certainly haven't done anything to help the network, which currently ranks eighth on PokerScout.com's traffic report. Compared to a similar 11-day stretch a month ago (April 8-18), peak real money traffic on the CEREUS network dropped more than eight percent during the security upgrade (May 6-16), according to PokerScout.com data.
Despite the problems, Leggett says he is doing everything he can to assure players that their accounts are safe with on the CEREUS Network.
"We are communicating openly with PTR, our players, and the rest of the poker community to prove ourselves as a company that is safe to play at, and that we are serious about security," Leggett said in a statement.