Welcome Guest
Log In | Register )
You last visited December 5, 2016, 3:33 pm
All times shown are
Eastern Time (GMT-5:00)

Texas Lottery audit finds security flaws

Texas LotteryTexas Lottery: Texas Lottery audit finds security flaws

The Texas Lottery Commission needs to better enforce its computer system security policies and more effectively ensure that its main contractor is conducting background checks on its employees, according to a state auditor's report obtained Wednesday.

The report, which is scheduled for public release on Friday, said security at the lottery is "generally satisfactory." But the auditors identified several significant security weaknesses, especially in the area of system access.

For example, the report said the commission does not sufficiently document and enforce rules and policies about passwords, firewalls and accounts with special access privileges. The report did not include details about the security flaws to prevent people from exploiting them.

Lottery spokesman Bobby Heith did not immediately return a telephone call seeking comment. Commission Chairman C. Thomas Clowe said Wednesday morning that the audit would be discussed at the board's next meeting.

The commission is required to hire an independent firm to study all aspects of lottery security at least once every two years. The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster.

Lawmakers grilled lottery officials about the agency's disaster recovery plan last fall after an employee sent two state representatives a scathing e-mail claiming the commission's emergency control center isn't fully functional. The employee was fired two days after he sent the e-mail for refusing to answer his supervisors' questions about the center unless they put them in writing.

The auditors said the commission should improve some aspects of its disaster recovery plan, but they pointed out that the agency's recovery center only supports its internal accounting system and other administrative processes.

They did however say weaknesses in lottery operator GTECH Corp.'s disaster recovery plan should be corrected "to better ensure that the operation of Texas lottery games can resume promptly after a disaster." GTECH controls the systems that run all lottery games.

The audit also urged lottery officials to ensure GTECH's employees have undergone proper background investigations and said all the company's employees should receive security awareness training.

A GTECH spokeswoman said she hadn't seen the report and couldn't comment on it.

Other areas of concern identified in the audit involved security aspects of each lottery game, the distribution of instant tickets and the security of lottery buildings and warehouses.

But the auditors said a 2004 reorganization of the lottery's security division did not have a significant negative effect.

The state auditor's office is expected to release another report later this year on the commission's personnel policies. Current and former lottery employees have complained the agency uses the threat of terminations to scare and intimidate anyone who questions lottery operations.

Lottery officials have said the law allows them to fire employees at any time for any lawful reason.

AP

We'd love to see your comments here!  Register for a FREE membership — it takes just a few moments — and you'll be able to post comments here and on any of our forums. If you're already a member, you can Log In to post a comment.

13 comments. Last comment 11 years ago by LOTTOMIKE.
Page 1 of 1
Raven62's avatar - binary
New Jersey
United States
Member #17843
June 28, 2005
49699 Posts
Offline
Posted: May 4, 2006, 10:11 am - IP Logged

Hopefully they followup the Security Audit with a Financial Audit!

    LOTTOMIKE's avatar - cash money.jpg
    Tennessee
    United States
    Member #7853
    October 15, 2004
    11338 Posts
    Offline
    Posted: May 4, 2006, 3:48 pm - IP Logged

    your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......

      Avatar
      New Member
      Texas
      United States
      Member #38785
      May 4, 2006
      1 Posts
      Offline
      Posted: May 4, 2006, 11:07 pm - IP Logged

      your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......

      Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."

        Avatar

        United States
        Member #10720
        January 23, 2005
        933 Posts
        Offline
        Posted: May 5, 2006, 8:25 pm - IP Logged

        Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.

        "The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster." 

        This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?

          Tenaj's avatar - michellea
          Charlotte NC
          United States
          Member #17406
          June 18, 2005
          4053 Posts
          Offline
          Posted: May 5, 2006, 9:00 pm - IP Logged

          your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......

          Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."

          I Agree! with txlottoretort.

          takeemtothebank

            LOTTOMIKE's avatar - cash money.jpg
            Tennessee
            United States
            Member #7853
            October 15, 2004
            11338 Posts
            Offline
            Posted: May 5, 2006, 9:44 pm - IP Logged

            your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......

            Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."

            I Agree! with txlottoretort.

            do you think i gave flying rats butt what you agree with,lol.every now and then i unblock you so i can see our newest disagreement.your lucky i'm in a good mood......

              Tenaj's avatar - michellea
              Charlotte NC
              United States
              Member #17406
              June 18, 2005
              4053 Posts
              Offline
              Posted: May 5, 2006, 9:46 pm - IP Logged

              your right about that.we've been guessing something fishy has been happening for quite a while.they even tried pulling that computerized stuff here a while back.they would've been the new indiana.......

              Ok LOTTOMIKE, I'm pretty sure you meant "you're," but I can only hope. Now, who are "they," and when was "a while back?" By "they," do you mean lottery officials or the Texas Legislature (Texas, like all state lotteries I know of, can take little action without the explicit approval of the state's elected legislators)? And did they really "try pulling that computerized stuff" or did they merely investigate their options and weigh potential cost savings vs. the possible/likely erosion of public trust (and then report their conclusions in a public forum), while always bearing in mind their Legislature-mandated obligation to maximize revenue to the state? Does a cost/benefit analysis really equate to "try pulling that computerized stuff." I mean, what was the result? What actually happened, when did this happen, who all was involved and what was the ultimate result? So far as I know, the only "computerized stuff" in Texas is the Megaplier drawing. Give us some facts LOTTOMIKE, not rumor, innuendo and speculation. Without some facts to back up yopur comments about Texas, despite your impressive history of posting from Tennessee, I'd have to say that your comment is somewhat "fishy."

              I Agree! with txlottoretort.

              What?I take that back, even though Lottomike might be guessing and not know the facts; txtotteretort's angle, and the way he presents his response is fishy and for all we know he might have some kind of connection to the Texas Lottery and is just letting off stream and is following the publicity and landed here on LP.  I don't agree with txlottoretort.

              takeemtothebank

                LOTTOMIKE's avatar - cash money.jpg
                Tennessee
                United States
                Member #7853
                October 15, 2004
                11338 Posts
                Offline
                Posted: May 5, 2006, 10:08 pm - IP Logged

                i'm just kidding with you tenaj.you know i joke.......

                  Tenaj's avatar - michellea
                  Charlotte NC
                  United States
                  Member #17406
                  June 18, 2005
                  4053 Posts
                  Offline
                  Posted: May 5, 2006, 10:19 pm - IP Logged

                  i'm just kidding with you tenaj.you know i joke.......

                  Hit With StickDon't be trying to worm out of it.  Your remarks are beoming more and more comical.   

                  takeemtothebank

                    LOTTOMIKE's avatar - cash money.jpg
                    Tennessee
                    United States
                    Member #7853
                    October 15, 2004
                    11338 Posts
                    Offline
                    Posted: May 5, 2006, 10:48 pm - IP Logged

                    my heart is big as texas.but my brain is the size of rhode island!

                      savagegoose's avatar - ProfilePho
                      adelaide sa
                      Australia
                      Member #37136
                      April 11, 2006
                      3300 Posts
                      Offline
                      Posted: May 6, 2006, 1:42 am - IP Logged

                      i think disaster recovery my mean when there is a disaster and looting, recovering the unpaid scratch tickets or cancelling them.

                      if shops are flooded or rubbler an looters get hundreds or thousands of free scratchies, im sure there has to be a policy in place to make sure the claims are not paid. maybe thats what they mean 

                        Avatar
                        NY
                        United States
                        Member #23835
                        October 16, 2005
                        3474 Posts
                        Offline
                        Posted: May 7, 2006, 12:31 pm - IP Logged

                        Bulldinky... I don't understand what all the fuss is about... if someone got into their computer how would that help someone to predict future drawings when they are not computerized draws? At most they might know which specific draw machine will be used next but the advantage thus gained would be microscopic, if any.

                        "The audit also addressed concerns raised by former and current lottery employees about the agency's ability to operate after a disaster." 

                        This means what, the survivors of a disaster would crawl out of the rubble and head right to the ELE7VEN to play Lotto?

                        "Disaster recovery" is a pretty common term in the IT field, and based on the article's emphasis on computer security issues I'm guessing the possible disasters they're thinking about are more along the lines of massive computer problems.A major failure halfway through the sales for an enormous jackpot could cost them millions of dollars and be far more significant than paying out on a bunch of stolen scratchers.

                        Your comments asking what the fuss is about is an excellent example of why computer security is such a problem at many companies. People often focus on the wrong issues and may fail to consider bigger risks, and that makes them cavalier about security. The problems have nothing to do with predicting future draws, and if there's any info on the computers that indicates which machine or set of balls will be used the security problems are with the people who set security policies, rather than the computers.

                        Among the other information stored on the computers are records of every single ticket sold for online games. Those records make it almost impossible for somebody to forge a ticket and collect  a prize because it's extremely unlikely that the ticket will match a record in the database. Access to the database, though, offers all sorts of potential, including adding a record for a ticket that wasn't really sold. Doing that after the winning numbers have  been drawn means a ticket could be printed after the drawing, and when the ticket is compared to the database there would be a perfect match. That obviously offers enormous potential for monetary gain. That could explain  why Ohio has had so many MM winners recently.  At the opposite end of the spectrum, somebody could delete records, thus invalidating large numbers of legitimate winning tickets. Other databases contain other kinds of records that should be kept confidential, such as which vendor has winning tickets in scratchoff games, mailing addresses for any winners who are receiving annuity payments, and payroll records.

                        Modifying the database can be easily prevented by keeping multiple copies, all of which should be isolated  as soon as ticket sales close. If that isn't the current security policy, that would be a major problem, and an excellent example of why the review doesn't describe the specific problems discovered. Other problems that are almost certain to exist are things like an employee who always talks about her third cat, "Fluffy", and has been using "Fluffy3" as her password for the last 5 years.  If that person's machine has limited permissions a crappy password may not be a big deal, but the number of people who can access important data should be limited and those people really need to have strong passwords that are changed often. The ability to modify data needs to be severely restricted and all changes needs to be throughly documented.  A business as big as a state lottery has no excuse for  poor security, but even minor flaws in good security can allow people to collect large sums in small chunks.

                          LOTTOMIKE's avatar - cash money.jpg
                          Tennessee
                          United States
                          Member #7853
                          October 15, 2004
                          11338 Posts
                          Offline
                          Posted: May 8, 2006, 8:12 am - IP Logged

                          as long as they keep the ball drawings they'll be in good shape......