Lottery balls. Image courtesy of Shutterstock
Naked Security Naked Security

Hot Lotto security director suspected of tinkering with computer to win $14.3m

What's luckier than a four-leaf clover? Maybe a rootkit on a handy thumb drive, with access to security cameras that can be tampered with.

Lottery balls. Image courtesy of ShutterstockSome people are born lucky. Some people make their own luck.

Some people insert their luck via self-deleting malware on a thumb drive, thereby ensuring that the state Hot Lotto lottery will spit out a number that wins them a sweet $14.3 million jackpot (about £9.7 million).

That, prosecutors claim, is the surefire luck that former security director Eddie Raymond Tipton manufactured and slipped onto the highly locked down lottery number generating computer at the Multi-State Lottery Association.

Tipton, 51, was scheduled to stand trial Monday on two counts of fraud, more than four years after prosecutors say he walked into a convenience store in Des Moines, Iowa, to buy what he’d allegedly made sure would be the winning ticket back on 23 December 2010.

His trial was pushed back to July after the defense asked for more time.

As the Des Moines Register reports, Assistant Iowa Attorney General Robert Sand last week filed a brief in which he suggested that Tipton may have used a thumb drive to install self-deleting malware that could manipulate the outcome of what’s supposed to be a random drawing in the Hot Lotto lottery.

To prevent external tampering, the computers that randomly draw the winning numbers don’t have internet connectivity. Thus, the time setting on the computer has to be updated manually.

Prosecutors theorize that Tipton may have exploited his position to install a rootkit when he entered the room on 20 November 2010 to change the time.

According to Ars Technica, court documents filed last week declare that the room was enclosed in glass, could only be entered by at least two people at a time, and was monitored by a video camera.

In fact, a Sunday pretrial ruling, District Court Judge Jeffrey Farrell wrote that there were at least two other people with Tipton inside the draw room at the time of the alleged crime.

At a hearing on Monday, Sand said that evidence points to a draw room surveillance camera also having been tampered with.

On the same day that Tipton was in the room to change the time on the computer, a camera recorded only one second per minute.

Tipton’s former coworkers are expected to testify at his trial that he was “obsessed” with rootkits and even once gave a presentation on them at a conference on lottery security, according to the court brief.

Suspicions about the lottery ticket sprang up in December 2011, when a New York attorney named Crawford Shaw showed up a year after the lottery ticket purchase, mere hours before it was set to expire.

Shaw tried to redeem the ticket on behalf of a mysterious company incorporated in Belize.

But given that Iowa Code dictates that the identity of the ticket purchaser is necessary, the winnings were never released.

Shaw was only one of a string of men who tried to cash the ticket on behalf of an anonymous party.

One of those men, Robert Clark Rhodes II, 46, of Sugarland, Texas, was arrested a few weeks ago for allegedly conspiring to influence the winnings of the Hot Lotto prize with the intent to defraud, falsely utter, pass or redeem a lottery ticket.

CCTV of lotto ticket purchase

Who was that guy who bought the ticket in a QuickTrip near Interstate 80?

It shouldn’t have been Tipton, given that as an employee of the lottery association, he wasn’t allowed to play. The Multi-State Lottery Association serves as a vendor to the Hot Lotto, which meant Tipton was prohibited by Iowa Code to purchase tickets or win from the lottery.

Last autumn, police tried to nail down the identity of the man on the video. They released a surveillance video of the purchase, after which an out-of-state employee of the Multi-State Lottery Association identified the person in the video as Eddie Tipton, then director of security for the lottery association.

Whether or not the prosecution’s theory holds true, one thing seems certain: that lottery association needed to beef up physical security and reassess job assignments.

In the wake of this twisting cyber thriller, the nonprofit lottery association has done just that, making some serious security overhauls, including:

  • Adding the ability to check for rootkits installed in its system, as part of security updates.
  • After Tipton was fired in January, equipment and software used in the drawings were replaced, including the security cameras that monitor the drawing room.
  • Introducing additional separation of duties for employees.

Image of lottery balls courtesy of Shutterstock.