Our readers will recall the recent security warnings from internet poker monitor PokerTable Ratings regarding encryption at the Cereus online poker network, a situation addressed speedily by the network in collaboration with PTR.
One would think that such a very public occurrence would have encouraged other networks to re-evaluate their own security measures, but this week PTR was active again – this time with the Cake Poker Network.
In a warning to online poker fans dated July 26, PTR reports that Cake Poker Network uses weak encryption and has poor security practices sufficiently worrying to warrant a ‘critical’ classification. The impact is the possible exposure of sensitive information, the site reports.
The PTR warning informs:
“The Cake poker network uses a weak xor based encryption mechanism for all network transmissions instead of the industry standard SSL [a situation similar to that reported on Cereus by PTR- ed.].
“The encryption key is sent in plain text and can be used to dump data from the datastream to the Cake client application.
“In our lab we are able to intercept and decode the user?s login name (e-mail address), screen name, and password in plain text, as well as their seat number and hole cards. We?ve also been able to remotely display all seat numbers and hole cards on a compromised network.
“All proof of concepts have been shown to work over a compromised WPA2 encrypted wireless network as well as unencrypted wireless networks, and physical network access (either through a hub, ARP man in the middle attack, or otherwise).”
Poker Table Ratings reports that Cake Poker has been notified of the vulnerability and advised to upgrade their software to use the free open source OpenSSL library. No solution was available from Cake when we went to press to print.
PTR recommends that players discontinue using the Cake network until the issue is addressed. Those players who choose to disregard the warning are urged to physically plug into your modem and bypass any switch, router, wireless network or other network device.
“We do not recommend playing on any unknown network connections,” PTR observes.
http://www.pokertableratings.com/blog/2010/07/ptr-security-alert-cake-poker-uses-weak-encryption/
Online poker sites Cake Poker, Cake Poker (beta), Doyle?s Room, RedStarPoker.com, Unabomber Poker, Intertops Poker, Sports Interaction are among those using the network.