Self-deleting rootkit or no, forensics investigators have dissected the code that former lottery chief Eddie Tipton used to skirt a lottery system’s random number generator and score a $14.3 million jackpot.
They detailed their findings in a criminal complaint filed against Eddie’s brother, Tommy Tipton, on Wednesday, after the former Texas justice of the peace was discovered to allegedly have $500,000 in consecutive marked bills.
Tommy’s brother, Eddie Raymond Tipton, the former security director of the Multi-State Lottery Association (MUSL), was convicted last July for running a lottery scam and sentenced to 10 years in jail in September.
In addition to that conviction, Eddie’s now facing additional felony criminal charges for allegedly manipulating drawing computers that he was responsible for building and programming.
Investigators have linked Tommy Tipton to tainted jackpots in Colorado and Oklahoma.
The complaint against Tommy Tipton details the findings of a forensic examination on a random number generator (RNG) computer that produced the winning numbers in a suspect 2007 Megabucks jackpot in Wisconsin that was paid out to a longtime friend of the Tiptons.
Investigators already knew that Eddie Tipton had stored self-deleting malware on a thumb drive that would ensure that Iowa’s Hot Lotto lottery would spit out a winning number.
It being self-deleting, they couldn’t find it, though.
Jason Maher, the IT director at MUSL, had testified about Tipton having mentioned that he was in possession of a rootkit, though no evidence of such was ever discovered due to the agency’s hard drives being wiped.
In spite of somewhat murky video footage showing Tipton purchasing a ticket – which was against the rules, given that he worked for the lottery agency – and having no evidence of the rootkit, jurors had found Eddie Tipton guilty.
In what they called a breakthrough, the investigators eventually found one place where the self-deleting rootkit didn’t erase itself: namely, on the RNG computer that had been programmed by Eddie Tipton.
There, they found a fishy dynamic-link library (DLL).
DLL files are small and often run unnoticed on a computer’s operating system. They carry out all manner of tasks, be it connecting to a network or sending documents to a printer, and any one machine might have thousands of them.
This one particular DLL stood out because it turned out that it wasn’t the same as the one that had been verified as legitimate in a previous security audit.
Instead, it had two additional chunks of code, one of which redirected the RNG to not produce random numbers on three particular days of the year, if two other conditions were met.
So when draws occurred on …
- 3 particular days of the year,
- on 2 particular days of the week,
- after a certain time of day,
…the numbers would be drawn by an algorithm that Tipton could predict.
And that’s when the sound of ka-ching! filled the air. Six prizes linked to Tipton were drawn on either 23 November or 29 December between 2005 and 2011.
From the complaint:
When those three conditions were met for a draw, the RNG would produce numbers [with] a multi-variable algorithm that were predictable for anyone familiar with the operation of the RNG, the security system, the lottery games, and the variables of the algorithm itself.
Who would have known all that? Why, the lottery’s security director, of course!
The forensics examiners tested it out themselves. Sure enough, when they recreated the draws according to the algorithm, they produced the very same winning numbers.
Tommy Tipton came under scrutiny in 2006, when Texas investigators received a tip about those consecutively marked bills.
He claimed to have gotten the money after winning a share of a $4.5 million Colorado Lotto jackpot, saying he recruited a friend to claim $569,000 in cash payout because he didn’t want his wife to know about it while they were considering divorce.
Investigators at the time didn’t know that Tipton’s brother wrote and installed the program that Colorado Lottery officials used to draw the numbers.
Tommy Tipton had testified at his brother’s trial, saying the buyer in the surveillance footage of the winning ticket purchase looked nothing like his sibling. Besides, he said, the guy in the video was buying a hot dog, and Eddie doesn’t like hot dogs.
Months later, after his brother was convicted and his own name had surfaced, Tommy Tipton resigned his elected judicial position in Flatonia, Texas.
Tommy Tipton has been released on bond. He’s charged with ongoing criminal conduct related to his role in securing the Colorado and Oklahoma jackpots, which allegedly netted him $1.2 million in cash.Follow @NakedSecurity