April 15, 2015

Lottery security chief rigged system to claim $14.3 million

John Hopton for - @Johnfinitum

The former security director of a major lottery is answering criminal charges after being accused of rigging the system. Eddie Raymond Tipton, the security chief for the Multi-State Lottery Association, allegedly tampered with a video camera and the computer that picks winning numbers before buying the “winning” ticket.

Prosecutors said he had been caught on CCTV buying a ticket with numbers he had previously programmed the computer to produce. However, he never claimed the $14.3 million prize.

Tipton, who denies the charges, bought the winning Hot Lotto ticket on December 23, 2010 and was arrested in January 2015 by the Iowa Division of Criminal Investigations, the BBC reports.

Too easy to rig

Easier than it should be when that system kicks out almost 15 million dollars, it seems.

The offline computer concerned is kept in a glass room, and, the BBC says: “in theory can only be accessed by two people at the same time.” It is also monitored by a camera. However, the prosecution claims, Tipton set the camera to record only one second in each minute, using the rest of the time to enter the room alone and plug a USB drive into the computer.

On that drive was thought to be a rootkit: a stealthy computer program designed to do a specific task and then erase itself if the user so desires. Clearly, this user did so desire.

Based on court papers filed by prosecutors, the Des Moines Register said that Tipton "may have inserted a thumb drive into a highly locked-down computer that's supposed to generate the random numbers used to determine lottery winners.”

Mike McLaughlin, senior analyst at computer security company First Base, told the BBC: "It is entirely possible to code a rootkit on a USB drive which could interfere with software on a computer then delete itself. It would only take a second to run once plugged in. However, this can leave traces on the infected machine if you know where to look."

Changing the system

Doug Jacobson, a computer engineering professor and director of Iowa State University's Information Assurance Center, told the Des Moines Register that: "One of the things we don't see much when we talk about computer security ... is physical access to the machine by somebody intent on doing evil. If you can physically gain access to a system, touch it as a person intent on doing evil, there's very little that can be done to stop you."

However, Iowa Lottery CEO Terry Rich recently released a statement stating his confidence in the Multi-State Lottery Association's integrity, noting that the equipment and software used in Hot Lotto draws was replaced after Tipton was fired in January.

Tipton’s trial has been delayed until July. If found guilty, he faces up to five years in jail and a fine of up to $7,500.