Former lottery infosec head accused of hacking computers to buy winning ticket
The former head of information security at the Multi-State Lottery Association (MUSL), who was arrested in January 2015, stands accused of having tampered with the computer used for drawing winning lottery numbers and of having purchased the winning lottery ticket after, even though he, as an employee of the association, isn’t permitted to.
According to additional claims included in a recent filing, Eddie Raymond Tipton, 51, has apparently used a USB flash drive to install a malicious software on the aforementioned computer, which would allow him to manipulate the outcome of the draw.
The computer in question is located in the “drawing room” and is not connected to the Internet, so in order to install the software Tipton needed to gain physical access to the machine.
The room is monitored by a camera that has also been tampered with on the day that Tipton allegedly entered the room and installed the malware on the computer. Instead of recording continuously, the camera was made to record only one second per minute.
The prosecution says Tipton used a rootkit to perform the changes on the computer, and that the program deleted itself after doing the work. In 2010, when the compromise happened, the Multi-State Lottery Association apparently did not have the ability to check for rootkits installed in their system, so this claim could be difficult to prove.
As the trial has been rescheduled for July, Iowa Lottery CEO Terry Rich issued a statement with the hope of reassuring lottery players that their systems are now clean.
“There will always be someone trying to beat the system. The lottery industry has and will continue to update its security procedures as we identify vulnerabilities to protect against them. We’ve introduced additional layers of security and even more separation of duties at our lottery because of what we’ve learned in this case, and that’s ultimately been a positive outcome. We also urged that the Multi-State Lottery Association (MUSL), the vendor organization for which Eddie Tipton worked, put additional security procedures in place and that has occurred, with more underway,” he noted.
“The equipment and software used in the Hot Lotto drawings has been replaced since the time that Eddie Tipton was employed at MUSL. The new equipment and software has been tested and certified by an independent gaming laboratory and forensically examined for malicious software, with no concerns identified. The security cameras, other physical security restrictions and procedures at MUSL also have been replaced and updated.”
“I have confidence that the games we offer today are fair. Our lottery has strong layers of security in place to protect lottery players, lottery games and lottery prizes. Those procedures enabled us to seek information about the winning ticket in this case and not pay the prize until basic questions could be answered – and they never were.”