Industry News

Lottery security director accused of hacking random-number generator to win $14.3 million

It sounds like the plot of a movie. But it’s not. At least not yet.

Eddie Raymond Tipton, was the security director for MUSL – the Multi-State Lottery Association – which runs major lotteries across the United States, including Hot Lotto, Mega Millions and Powerball.

For understandable reasons, MUSL employees are not allowed to play the lottery.

51-year-old Tipton, however, is accused of not just playing the lottery, but also tampering with lottery equipment in such a way that he went on to win $14.3 million.

What’s not in dispute is that on December 23, 2010, someone walked into a Quick Trip store on East 13th Street, off Interstate Highway 80 in Des Moines, Iowa, and bought a lottery ticket.

You can actually watch a YouTube video of the purchase as caught on the store’s CCTV cameras.

 

That ticket turned out to be the winner of a prize fund valued at $14.3 million, and yet – despite widespread publicity – went unclaimed for almost an entire year.

Just hours before the time limit for claiming the lottery ticket was due to expire in 2011, a mysterious company incorporated in Belize tried to claim the prize through a New York Attorney, claiming the ticket holder wished to remain anonymous.

But this was a problem – lottery officials refused to release the multi-million dollar prize fund because of the refusal to reveal the identity of the prize winner, as required by Iowa law.

The prize claim was subsequently withdrawn in January 2012.

hot-lotto

 

But now, of course, the authorities interest in the curious case was piqued, and they released video footage of the ticket purchase in October 2014.

Unfortunately for Tipton, within days an out-of-state colleague at the lottery association had identified him to investigators as the person in the video.

In addition, a silver 2007 Ford Edge car rented by Tipton matched that used by the purchaser of the winning lottery ticket in December 2010.

Tipton was arrested and charged with fraud.

As Ars Technica reports, prosecutors claim that the former security director at MUSL was “obsessed” with self-destructing rootkits that could quickly make changes to computer systems and then destroy any evidence that they had ever been present on the targeted computer.

Furthermore, prosecutors have this week claimed that Tipton may have deliberately meddled with the lottery’s random number generator (RNG) by infecting a computer system with malware from a USB stick:

In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren’t connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal.

“Four of the five individuals who have access to control the camera’s settings will testify they did not change the cameras’ recording instructions,” prosecutors wrote. “The fifth person is defendant. It is a reasonable deduction to infer that defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG tower without detection.”

Whether there is any forensic evidence that someone tampered with the RNG on the lottery computer system (and indeed if any lack of evidence might damage the case against Tipton) remains to be seen.

Tipton’s trial is scheduled to start on July 13th.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment