The Texas Lottery Commission needs to better enforce its computer system security policies and more effectively ensure that its main contractor is conducting background checks on its employees, according to a state auditor's report obtained Wednesday.
The report, which is scheduled for public release on Friday, said security at the lottery is "generally satisfactory." But the auditors identified several significant security weaknesses, especially in the area of system access.
For example, the report said the commission does not sufficiently document and enforce rules and policies about passwords, firewalls and accounts with special access privileges. The report did not include details about the security flaws to prevent people from exploiting them.
Lottery spokesman Bobby Heith did not immediately return a telephone call seeking comment. Commission Chairman C. Thomas Clowe said Wednesday morning that the audit would be discussed at the board's next meeting.
The commission is required to hire an independent firm to study all aspects of lottery security at least once every two years. The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster.
Lawmakers grilled lottery officials about the agency's disaster recovery plan last fall after an employee sent two state representatives a scathing e-mail claiming the commission's emergency control center isn't fully functional. The employee was fired two days after he sent the e-mail for refusing to answer his supervisors' questions about the center unless they put them in writing.
The auditors said the commission should improve some aspects of its disaster recovery plan, but they pointed out that the agency's recovery center only supports its internal accounting system and other administrative processes.
They did however say weaknesses in lottery operator GTECH Corp.'s disaster recovery plan should be corrected "to better ensure that the operation of Texas lottery games can resume promptly after a disaster." GTECH controls the systems that run all lottery games.
The audit also urged lottery officials to ensure GTECH's employees have undergone proper background investigations and said all the company's employees should receive security awareness training.
A GTECH spokeswoman said she hadn't seen the report and couldn't comment on it.
Other areas of concern identified in the audit involved security aspects of each lottery game, the distribution of instant tickets and the security of lottery buildings and warehouses.
But the auditors said a 2004 reorganization of the lottery's security division did not have a significant negative effect.
The state auditor's office is expected to release another report later this year on the commission's personnel policies. Current and former lottery employees have complained the agency uses the threat of terminations to scare and intimidate anyone who questions lottery operations.
Lottery officials have said the law allows them to fire employees at any time for any lawful reason.
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.
"The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster."
This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
with txlottoretort.
do you think i gave flying rats butt what you agree with,lol.every now and then i unblock you so i can see our newest disagreement.your lucky i'm in a good mood......
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
with txlottoretort.
I take that back, even though Lottomike might be guessing and not know the facts; txtotteretort's angle, and the way he presents his response is fishy and for all we know he might have some kind of connection to the Texas Lottery and is just letting off stream and is following the publicity and landed here on LP. I don't agree with txlottoretort.
i think disaster recovery my mean when there is a disaster and looting, recovering the unpaid scratch tickets or cancelling them.
if shops are flooded or rubbler an looters get hundreds or thousands of free scratchies, im sure there has to be a policy in place to make sure the claims are not paid. maybe thats what they mean
Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.
"The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster."
This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?
"Disaster recovery" is a pretty common term in the IT field, and based on the article's emphasis on computer security issues I'm guessing the possible disasters they're thinking about are more along the lines of massive computer problems.A major failure halfway through the sales for an enormous jackpot could cost them millions of dollars and be far more significant than paying out on a bunch of stolen scratchers.
Your comments asking what the fuss is about is an excellent example of why computer security is such a problem at many companies. People often focus on the wrong issues and may fail to consider bigger risks, and that makes them cavalier about security. The problems have nothing to do with predicting future draws, and if there's any info on the computers that indicates which machine or set of balls will be used the security problems are with the people who set security policies, rather than the computers.
Among the other information stored on the computers are records of every single ticket sold for online games. Those records make it almost impossible for somebody to forge a ticket and collect a prize because it's extremely unlikely that the ticket will match a record in the database. Access to the database, though, offers all sorts of potential, including adding a record for a ticket that wasn't really sold. Doing that after the winning numbers have been drawn means a ticket could be printed after the drawing, and when the ticket is compared to the database there would be a perfect match. That obviously offers enormous potential for monetary gain. That could explain why Ohio has had so many MM winners recently. At the opposite end of the spectrum, somebody could delete records, thus invalidating large numbers of legitimate winning tickets. Other databases contain other kinds of records that should be kept confidential, such as which vendor has winning tickets in scratchoff games, mailing addresses for any winners who are receiving annuity payments, and payroll records.
Modifying the database can be easily prevented by keeping multiple copies, all of which should be isolated as soon as ticket sales close. If that isn't the current security policy, that would be a major problem, and an excellent example of why the review doesn't describe the specific problems discovered. Other problems that are almost certain to exist are things like an employee who always talks about her third cat, "Fluffy", and has been using "Fluffy3" as her password for the last 5 years. If that person's machine has limited permissions a crappy password may not be a big deal, but the number of people who can access important data should be limited and those people really need to have strong passwords that are changed often. The ability to modify data needs to be severely restricted and all changes needs to be throughly documented. A business as big as a state lottery has no excuse for poor security, but even minor flaws in good security can allow people to collect large sums in small chunks.
Hopefully they followup the Security Audit with a Financial Audit!
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.
"The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster."
This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
do you think i gave flying rats butt what you agree with,lol.every now and then i unblock you so i can see our newest disagreement.your lucky i'm in a good mood......
your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......
Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."
i'm just kidding with you tenaj.you know i joke.......
i'm just kidding with you tenaj.you know i joke.......
my heart is big as texas.but my brain is the size of rhode island!
i think disaster recovery my mean when there is a disaster and looting, recovering the unpaid scratch tickets or cancelling them.
if shops are flooded or rubbler an looters get hundreds or thousands of free scratchies, im sure there has to be a policy in place to make sure the claims are not paid. maybe thats what they mean
Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.
"The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster."
This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?
"Disaster recovery" is a pretty common term in the IT field, and based on the article's emphasis on computer security issues I'm guessing the possible disasters they're thinking about are more along the lines of massive computer problems.A major failure halfway through the sales for an enormous jackpot could cost them millions of dollars and be far more significant than paying out on a bunch of stolen scratchers.
Your comments asking what the fuss is about is an excellent example of why computer security is such a problem at many companies. People often focus on the wrong issues and may fail to consider bigger risks, and that makes them cavalier about security. The problems have nothing to do with predicting future draws, and if there's any info on the computers that indicates which machine or set of balls will be used the security problems are with the people who set security policies, rather than the computers.
Among the other information stored on the computers are records of every single ticket sold for online games. Those records make it almost impossible for somebody to forge a ticket and collect a prize because it's extremely unlikely that the ticket will match a record in the database. Access to the database, though, offers all sorts of potential, including adding a record for a ticket that wasn't really sold. Doing that after the winning numbers have been drawn means a ticket could be printed after the drawing, and when the ticket is compared to the database there would be a perfect match. That obviously offers enormous potential for monetary gain. That could explain why Ohio has had so many MM winners recently. At the opposite end of the spectrum, somebody could delete records, thus invalidating large numbers of legitimate winning tickets. Other databases contain other kinds of records that should be kept confidential, such as which vendor has winning tickets in scratchoff games, mailing addresses for any winners who are receiving annuity payments, and payroll records.
Modifying the database can be easily prevented by keeping multiple copies, all of which should be isolated as soon as ticket sales close. If that isn't the current security policy, that would be a major problem, and an excellent example of why the review doesn't describe the specific problems discovered. Other problems that are almost certain to exist are things like an employee who always talks about her third cat, "Fluffy", and has been using "Fluffy3" as her password for the last 5 years. If that person's machine has limited permissions a crappy password may not be a big deal, but the number of people who can access important data should be limited and those people really need to have strong passwords that are changed often. The ability to modify data needs to be severely restricted and all changes needs to be throughly documented. A business as big as a state lottery has no excuse for poor security, but even minor flaws in good security can allow people to collect large sums in small chunks.
as long as they keep the ball drawings they'll be in good shape......