A Common Security Flaw
Serious handicappers betting on ponies know they're always bucking the odds.
But the rigging of the Pick Six payoff at the Breeder's Cup championship showed how trusted insiders can manipulate networks to steal from unsuspecting bettorslong before the horses get to the gate.
The million-dollar fiasco is not an isolated problem. The truth is, any company that handles financial transactions or valuable information electronically runs the risk of being fleeced by its own technology staffor users. Just in the last couple of months, Columbia University undergraduates got caught using digital photography and wireless transmission to cheat on graduate school entrance exams; and, thieves succeeded in stealing the credit histories of 30,000 people thanks to help from a low-level technology insider who had easy access to the information.
In the horse racing case, a 29-year-old software developer confessed last month to masterminding a plot to use his position as a senior technology staff member at Autotote Systems to alter bets placed by a co-conspirator. The plan was to collect more than $3 million by picking six winners in Breeder's Cup races.
Autotote executives say the staffer, Chris Harn, had "the highest level" of accesssometimes referred to as a "super-user"to Autotote's network, and was actually responsible for monitoring and maintaining the network from the company's Delaware headquarters.
"You have to understand that this individual was one of, if not the most trusted member of our (IT) team," says Rhonda Barnat, a spokeswoman for Autotote. "That someone you trust so much would do something like this is just devastating."
Betting Big Money
Autotote Systems builds and maintains a network used to track 65% of the roughly $20 billion wagered each year at racetracks and off-track betting sites in North America.
Harn apparently had virtually unlimited access to servers used to develop new services, and to servers used in day-to-day betting. Typical security procedures try to separate users of development servers and users of production servers.
But even so, the rigging of payoffs from this Super Bowl of horse racing required outside conspirators, as well. Harn confessed to orchestrating this scheme with a pair of fraternity brothers from Drexel University.
In Pick Six, the bettor must correctly choose the winning horse in each of six selected races at a particular track. In this case, it was Arlington Park, just outside of Chicago. Bettors can make wagers over the phone, the Internet or from other horse tracks and watch-and-wager locations throughout the country.
Bettors who correctly pick the winning horses in each of the six races get to split the pot. For example, if only four people pick the six winning horses, they equally split the pool of money bet by their fellow bettors. In this case, the Pick Six pool was well over $3 million.
Key to the attempt to take advantage of the system is the timing of the bets. It always helps to know who wins. Indeed, in legitimate Pick Six competition, bettors must pick the winning horses in all six races before the first race begins.
In this case, one frat brother, Derrick Davis, 29, opened an account at a satellite wagering location in upstate New York that allowed wagers by phone. Harn says he knewbecause he had set up the systemthat this location didn't make a recording of touch-tone wagers, as many other states require.
With the account established and, presumably, untraceable to Harn, Davis phoned in his Pick Six wager shortly before the races began in Illinois.
Davis bet on individual horses to win in the first four races and then bet on all the horses in the final two races to win the last two races, meaning that if the individual horses he selected in the first four races won he would be assured of winning his Pick Six wager regardless of which horses won the fifth and sixth races.
That might have been good enough to ensure a winning piece of the pot. But apparently Harn got greedy. Working from Autotote's headquarters that Saturday, Harn changed codes on Davis' bets to the winning horses in the first four races. Then, he attempted to cover his tracks by manipulating the system's audit trail.
Harn knew betting information from off-site locations was not transmitted to the main pool in Arlington until after the fifth race. So, in the approximately 30 minutes after the end of the fourth race, he simply changed the wagers stored at the New York computer before the off-site data arrived at the end of the fifth race.
The 30-minute gap is nothing new. "It's been that way since the mid- or late '80s," says a source close to Autotote who participated in the investigation that led to Harn's arrest. "It's called an 'intertote systems protocol.' At the time, it was set up simply as a way to commingle the data from different locations. It wasn't devised with security in mind."
A Common Security Flaw
Peter Neumann, principal scientist at SRI International, a not-for-profit research institution, says this kind of security flaw is all too common in the commercial sector. "This is an example of a very simple exploitation of a rather stupid design flaw. This is how most security gets compromised in almost any custom system."
Neumann says most companies spend so much of their technology time on getting the business functions they want that they forget about securing their systems from their own employees. He says online banks, Internet gambling sites and even electronic voting booths are particularly vulnerable to corrupt programmers.
"As a general rule, there are hundreds of weak links within any IT organization," he says. "Even more when you build a custom system for voting or betting. And just because you fix one weak link doesn't mean there aren't others, many others, you haven't considered."
The reason for delaying the bets from satellite locations, according to Autotote, wasn't that there was too much congestion in the tote systems, but simply a shortsighted business process that had been in place for years.
"Like many things, it was status quo," the Autotote source says. "The protocol was designed to provide a functional solution to the problem of collecting wagers and deriving odds from multiple locations. From a business perspective, that information didn't need to be transmitted until the last minute."
Autotote's network was built on the Open VMS operating system, with three redundant Alpha servers, developed by Digital Equipment in 1978. Analysts say it's one of the most secure and functional operating systems around and a popular choice for banks, medical institutions and the U.S. military.
Autotote and its leading competitors, AmTote and United Tote, are now working to eradicate the intertote systems protocol to allow all wagers to be transmitted after each and every race. Autotote is also going to install independent control systems that mirror the activity on the network in real-time from a third-party location.
Security experts say recording and examining system activityestablishing "audit controls"is crucial to preventing similar abuse.
"One of the biggest problems any company can have is not configuring the audit control on your operating system," says Chris Wysopal, director of research and development at @Stake, a digital security consultant. "The truth is many companies don't turn on their audit controls because they aren't turned on by default."
But setting up controls makes no difference, unless a security operation also establishes a safe place to monitor activity from; and regularly does so. "Usually, companies don't bother to go back and review audit trails until something goes wrong," Wysopal says. "Until they review those logs, they have no idea what's going on."
Setting up a separate authentication server at an off-site location that tracks which employees are logging in, and what they're doing and when, should prevent even a company's most senior technology administrator from compromising the network.
"You really want to separate the privileges as much as possible," Wysopal says. "There's no product you can buy anywhere that will tell you when insiders with valid credentials and passwords are doing something they shouldn't be doing."
Securing Your Network From Insiders
- Limit access. Set strict rules on who has access to production servers, where data is most sensitive, and enforce them
- Create activity logs. Activate auditing mechanisms and review such logs randomlyand religiously
- Monitor the network. Establish a separate authentication server that stores monitored data in a secure location that programmers cannot access
- Hire carefully. Do background checks on all staffers who have access to critical data
- Regulate hours. Deny employees access to the network during off-hours