New Found AP/UB Security Risks

[pokerprop]

Interesting article from a still rather new but always been credible thus far source.

Is threads about this on most major forums. Sure AP/UB will respond soon if it not programmed this way to cheat more players, or in a couple months if it is.

Anyways I don't know much about this stuff, so no idea if it is a big deal or not. The initial reaction on forums make it sound like a big deal of course though with a company that was caught stealing at least $40 million (likely more) from their customers and blamed it on old owners, though overwhelming evidence to suggest it was founders of each company that set this up (independently) and had current management caught in many lies and cover ups to assist them.. it can be expected any story about security involving this company (known industry wide as crooks) is going to be a big deal on forums. Again no idea if that should or should not be the case with this particular story.

[ramchip]

Interesting article from a still rather new but always been credible thus far source.

Is threads about this on most major forums. Sure AP/UB will respond soon if it not programmed this way to cheat more players, or in a couple months if it is.

Anyways I don't know much about this stuff, so no idea if it is a big deal or not. The initial reaction on forums make it sound like a big deal of course though with a company that was caught stealing at least $40 million (likely more) from their customers and blamed it on old owners, though overwhelming evidence to suggest it was founders of each company that set this up (independently) and had current management caught in many lies and cover ups to assist them.. it can be expected any story about security involving this company (known industry wide as crooks) is going to be a big deal on forums. Again no idea if that should or should not be the case with this particular story.

It's a very big deal! I have not touched AB / UB since the Potripper farse. Simply not to be trusted in my book!

[ramchip]

[pokerprop]

I'm skeptical of the video at this point, but concerned enough to follow it. I shot off a few emails to best hackers I know to get some feedback.

[pokerprop]

This company is a total fucking joke! I just sat for 5 minutes watching a stream of someone doing this exact same thing done in this video using their own UB account. He's a hacker who went to jail for (Edited Reason) so a little more advanced than anyone else, but it took him under 10 minutes to replicate the same thing that PTR did in their video.

Asked him how difficult this was to do, he said "not difficult very easy".

I didn't want to keep him tied up too long so didn't ask but thinking of it after the fact and from what I read all someone with any sort of decent skills needed as IP addresses of known UB players. Heck I know like 10 people capable of hacking forums I don't think this would of been too hard. However also I could of ran a league, tracked IP to downloads as an affiliate or simply a download site (even better cover) the possibilities are endless.

Bottom line it was not all that hard to hack user names and passwords. As far as getting someone hole card data, well that was extremely simple to do once you found the targets.

I don't want to make too many assumptions here, but I have another thought I'll post after researching it more. Anyways bottom line these cheats are either fucking stupid or these cheat are cheats. Either way they are cheats whether they are currently active or this was another example of their cheating or not.

When you market UB/AP you market crooks. Simple as that!

[pokerprop]

Encryption Issue - Ultimate Bet Blog

Hello UB’ers,

One hour ago, I learned about an article posted today on Poker Table Ratings (PTR) regarding an issue with the local encryption that we use on the Cereus Poker Network. For those of you not familiar with the issue, PTR was able to crack our local encryption method. I wanted to blog to make sure our players and the poker community know how seriously we take this issue.

I would like to start by reminding everyone that someone would have to have the technical capabilities to crack the encryption method we currently use and they would also have to hack into your local network in order to gain access to sensitive data. We are currently working on implementing a new encryption method and we expect to have it live in a matter of hours.

I would also like to say that I am very embarrassed and upset that this issue was not caught by our internal staff or through the countless audits we’ve been through this year and last year. We’ve invested a great deal of money into all types of security and I am very shocked that this was not identified by us or the many third party auditors we’ve employed.

Needless to say we plan to find new security resources and third parties to help us test this solution and make sure we provide you with the absolute best security that money can buy.

I would also like to thank PTR for identifying this issue and sharing it with us and the poker community.

We will continue to update you on this issue but we will not rest until it is fixed and as I stated earlier, we plan to have this issue resolved within a matter of hours.

Play well,

Paul Leggett

[pokerprop]

Needless to say we plan to find new security resources and third parties to help us test this solution and make sure we provide you with the absolute best security leaks the poker community can not detect.

Fixed your post Paul

[jdwanchalk]

The difference between this and the superuser case are drastic. With the superusers, it was a (relatively) small amount of offenders. With this, anyone could have been doing it. Either way, if someone was hacked, they likely will never know it. I wonder why PTR was even trying this, maybe they got a tip, I don't know.

[pokerprop]

This is actually far more serious than the super user scandal as it was very easy to do. However while perhaps all coincidence I'd like to point out:

The opportunity of insider "super user" cheating with this "security leak" in place could very likely have made pulling off super user cheating so much easier. With the old system there were finger prints left behind and the case was cracked due to whistle blowers who forwarded that data (those finger prints) to 2+2ers investigating this. This system while not as high tech on surface leaves no finger prints. This theoretically made it possible for a perpetrator with access to data stream between the server and clients computers access hole cards of each opponent. There would never be any proof which resides on the companies servers that such activity took place. In summary someone could theoretically access all hole cards leave no trace of it and with half a brain could slowly siphon money off the sites using a cautious method which would unlikely have their account reach the level of the radar that one would be suspicious of their activity. Of course with any statement of such nature their are legal concerns so I reemphasize this paragraph is not an accusation and their is one known hole in it which I have covered in the wording.

[MooreFish]

Before I got into affiliating, I spent about 12 years working in web development, managing web development teams, and working in corporate Information security, almost exclusively within the financial services industry.


I think the problem with this is threefold.

1) Their auditors are useless. When you're auditing any software dealing with financial transactions the first questions you always ask yourself are "Is their data secure, and is their communication of that data secure?" Clearly, it is not.

2) Their internal security team is even more useless. The reasons for this have come up time and time again.

3) And this is probably the most important of all.....their management team is the most useless of all. They clearly don't possess the knowledge or qualification to even hire someone competent. Management shouldn't need to know all that much about data encryption & security, but they sure as hell better know how to hire someone who does.

IMO, anyone promoting AP/UB deserves what they get when (not if, but when) they get burned for it. I'm amazed any pro will lend their name to this fiasco anymore.