[ISN] Owner of UltimateBet Confirms Security Breach

From: InfoSec News (alerts@private)
Date: Sat May 31 2008 - 01:28:57 PDT


http://www.cardplayer.com/poker-news/article/4279/owner-of-ultimatebet-confirms-security-breach

By Bob Pajich
Cardplayer.com
May 29, 2008

Former Employees Had Access to Opponents' Holecards for 21 Months

Tokwiro Enterprises, the company that owns both Absolute Poker and 
UltimateBet, today released a statement confirming that cheating had 
gone on at UltimateBet by people who, according to the release, "worked 
for the previous ownership of UltimateBet prior to the sale of the 
business to Tokwiro in October 2006."

The player or players behind the 18 screen names that were identified as 
being corrupted have not been named. Tokwiro will refund players their 
losses once the investigation is complete. The usernames that were used 
to cheat are: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, 
ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, 
stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, NYMobser, 
and WhoWhereWhen.

The cheating was able to take place because the perpetrators had access 
to what Tokwiro is calling an "unauthorized software code" that allowed 
the cheaters to see their opponents. holecards. The cheating took place 
from March 7, 2006 to Dec. 3, 2007, and it.s not known how much money 
the cheater(s) illicitly won.

As soon as the cheating was suspected, Tokwiro said it contacted the 
Kahnawake Gaming Commission (KGC), the most used online poker regulatory 
commission, to start the investigation. Tokwiro is mandated to contact 
KGC if any suspicious activety might be taking place.

This is the second cheating incident to hit the company since it 
purchased Absolute Poker and UltimateBet. The first occurred when it was 
discovered that several players at Absolute Poker also had access to 
software that allowed them to see opponents. holecards.

The entire press release, which provided a timeline of the incident, 
follows:

MONTREAL, CANADA (MAY 29, 2008) --- Tokwiro Enterprises ENRG 
("Tokwiro"), proprietors of UltimateBet.com ("UltimateBet"), one of the 
world's largest online card rooms, today announced the results of its 
lengthy investigation into allegations of unfair play, which was 
triggered by concerns about an account named 'NioNio'. Tokwiro has 
worked diligently in cooperation with its regulatory body, the Kahnawake 
Gaming Commission ("KGC"), and with independent third-party experts to 
conduct a thorough investigation that included a comprehensive review of 
hand histories and game data, thorough analyses of software and network 
security, and audits of its security practices and procedures.

The investigation has concluded that certain player accounts did in fact 
have an unfair advantage, and that these accounts targeted the highest 
limit games on the site. The individuals responsible were found to have 
worked for the previous ownership of UltimateBet prior to the sale of 
the business to Tokwiro in October 2006. Tokwiro is taking full 
responsibility for this situation and will immediately begin refunding 
UltimateBet customers for any losses that were incurred as a result of 
unfair play.

The fraudulent activity was enabled by unauthorized software code that 
allowed the perpetrators to obtain hole card information during live 
play. The existence of this vulnerability was unknown to Tokwiro until 
February 2008 and existed prior to UltimateBet's acquisition by Tokwiro 
in October 2006. Our investigation has confirmed that the code was part 
of a legacy auditing system that was manipulated by the perpetrators. 
Gaming Associates, independent auditors hired by the KGC, have confirmed 
that the software code that provided the unfair advantage has been 
permanently removed.

Throughout the investigation of this incident, Tokwiro's consistent 
priorities have been:

    * To permanently remove the ability to engage in unfair play;

    * To complete its investigation and come to a full understanding of 
      what occurred;

    * To refund the affected customers; and

    * To implement measures that prevents future incidents.

The Company said, "We would like to thank our customers for their 
patience, loyalty and support, as well as for their understanding that 
we are doing everything we can to correct this situation. The staff and 
management of UltimateBet are fully committed to providing a safe and 
secure environment for our players, and we want to assure customers of 
our unwavering resolve to monitor site security with every resource at 
our disposal." Investigation Timeline

These are the key events in the course of the incident.


    * January 2008: UltimateBet is alerted to suspicions of unfair play 
      on the part of the account "NioNio". Within 24 hours, UltimateBet 
      contacts the KGC to provide formal notice that UltimateBet has 
      initiated an investigation of the incident.

    * UltimateBet subsequently forwarded a copy of all related data to 
      the KGC.
    * January 2008: The "NioNio" account and related accounts are 
      suspended pending further investigation.

    * February 2008: Preliminary findings indicate abnormally high 
      winning statistics for the suspect accounts. After discussions 
      with the KGC, UltimateBet engages third-party gaming experts to 
      assist with the analysis.

    * February 2008: Investigators confirm that the suspect accounts are 
      associated with individuals who had worked for UltimateBet under 
      the previous ownership.

    * February 2008: UltimateBet discovers the unauthorized code that 
      allowed the perpetrators to obtain hole card information during 
      live play. The code was part of a legacy auditing system that was 
      manipulated by the perpetrators of the fraud.

    * February 2008: UltimateBet immediately removes the unauthorized 
      code and works with the KGC and with third-party auditors to 
      verify that the security hole has been eliminated.

    * March 2008: Six player accounts are confirmed to have participated 
      in this scheme. No accounts were deleted at any point, although 
      some account names were changed multiple times. The following 
      account names are known to have been used in the fraudulent 
      activity: NioNio, Sleepless, NoPaddles, nvtease, flatbroke33, 
      ilike2win, UtakeIt2, FlipFlop2, erick456, WhackMe44, RockStarLA, 
      stoned2nite, monizzle, FireNTexas, HeadKase01, LetsPatttty, 
      NYMobser, and WhoWhereWhen.

    * May 2008: The investigation confirms that the fraudulent activity 
      took place from March 7, 2006 to December 3, 2007.

    * May 2008: Gaming Associates certifies that the software code that 
      enabled unfair play was removed from UltimateBet servers in 
      February of 2008.

    * May 2008: Customers affected by this incident are identified, and 
      plans for corrective action are reviewed with the KGC.


Corrective Actions Taken

    * The following actions have been taken or are currently underway as 
      a direct result of this investigation.

    * The security hole identified in UltimateBet's investigation has 
      been permanently eliminated.

    * UltimateBet is establishing a state-of-the-art software Security 
      Center that consolidates and greatly enhances existing security 
      capabilities. The first release of the new Security Center focuses 
      solely on the immediate detection of abnormal winnings. Gaming 
      mathematicians, poker professionals, and security software 
      developers have all contributed to the specifications for the new 
      Security Center.

    * UltimateBet customers are no longer permitted to change account 
      names unless they have suffered abuse in chat rooms. Requests for 
      changes must be supported by proof of abuse and must be approved 
      by the Chief Compliance Officer.

    * In addition to its existing security department, UltimateBet has 
      established a new specialized Poker Security team of professionals 
      dedicated to fraud prevention.

    * The refund process will begin immediately. The accounts associated 
      with fraudulent activity did not use an unfair advantage in all 
      play sessions. Regardless, UltimateBet is refunding all losses to 
      these accounts.

    * Accounts related to the fraudulent activity have been disabled, 
      and the individuals associated with those accounts permanently 
      banned from the site.

    * UltimateBet has worked closely and transparently with its 
      governing body, the KGC and its designated expert auditors, to 
      determine exactly what happened, how it happened, and who was 
      involved, and has taken action to prevent any possibility of this 
      situation recurring.

    * Tokwiro is pursuing its legal options in regard to this incident.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Sat May 31 2008 - 01:44:29 PDT