The Lottery Hack: Another Case of Excessive User Privileges

The odds of winning the lottery vary greatly between states and the types of games offered (Powerball, Scratch off, etc.). In fact, it is commonly joked about that getting struck by an asteroid is more likely than winning the lottery – even though people seem to win the lottery every week and you never hear about asteroid strikes. Therefore, the odds of winning the lottery (at least) four times, are nearly astronomical – unless you are one man and his rootkit. If you are not familiar with the a rootkit, it is a computer virus designed to enable access to a computer or areas of other software that would not otherwise be allowed (for example, to an unauthorized user) while masking its existence from detection. Eddie Tipton, former security director for Multi-State Lottery Association in Iowa is accused of using a rootkit to manipulate and extract the winning lottery numbers before they were made public. Tipton allegedly then used the data to purchase winning tickets before sales closed with his brother and best friend. Over the course of six years, $8 million dollars has been paid out through 3 states linked to Tipton’s activities, and 37 more cases are now under investigation. Considering Tipton was the Security Directory for Lottery system itself, it is fair to say he represents yet another case of how bad insider threats can be, even from the most trusted individuals. It is still not clear what rootkit was used, how it was customized, and how the winning numbers were delivered but the identification of the rootkit was not what tipped authorities off about suspicious activity. In fact, nothing about malware was identified internally at all that caused concern. Instead, it was all user behavior. In 2012, a New York lawyer attempted to claim a $16.5 million jackpot anonymously but withdrew his claim verses revealing the winner. Surveillance video of the winning ticket purchaser was circulated to the media to help find the winner and Tipton’s co-workers. Hi peers positively identified him as the mysterious owner of the winning ticket. That event is what tipped off authorities in Iowa and his big mistake. While millions of dollars have been stolen, it is a classic case of insider threat and excessive privileges. Why did Tipton have root access to so many sensitive servers to install the malware, why was his activity not being logged, why was outbound traffic not being audited for suspicious content, and on and on… Here at BeyondTrust, we promote safe and secure administrative access with complete auditing and reporting. Events like this can be prevented if the proper security controls are in place and user activity is monitored and advanced analytics available to identify usual user behavior. If you would like to learn more about Privileged Access Management, contact us today. As always, stayed tuned as more details become available on this latest insider threat.