How Autotote Insider Rigged the System

Worried about outsiders breaking into your network? Don't overlook your own employees. Just ask Autotote, where a software developer almost stole a $3 million jackpot.

But the rigging of the Pick Six payoff at the Breeder's Cup championship showed how trusted insiders can manipulate networks to steal from unsuspecting bettors—long before the horses get to the gate.

The million-dollar fiasco is not an isolated problem. The truth is, any company that handles financial transactions or valuable information electronically runs the risk of being fleeced by its own technology staff—or users. Just in the last couple of months, Columbia University undergraduates got caught using digital photography and wireless transmission to cheat on graduate school entrance exams; and, thieves succeeded in stealing the credit histories of 30,000 people thanks to help from a low-level technology insider who had easy access to the information.

In the horse racing case, a 29-year-old software developer confessed last month to masterminding a plot to use his position as a senior technology staff member at Autotote Systems to alter bets placed by a co-conspirator. The plan was to collect more than $3 million by picking six winners in Breeder's Cup races.

Autotote executives say the staffer, Chris Harn, had "the highest level" of access—sometimes referred to as a "super-user"—to Autotote's network, and was actually responsible for monitoring and maintaining the network from the company's Delaware headquarters.

"You have to understand that this individual was one of, if not the most trusted member of our (IT) team," says Rhonda Barnat, a spokeswoman for Autotote. "That someone you trust so much would do something like this is just devastating."

Autotote Systems builds and maintains a network used to track 65% of the roughly $20 billion wagered each year at racetracks and off-track betting sites in North America.

Harn apparently had virtually unlimited access to servers used to develop new services, and to servers used in day-to-day betting. Typical security procedures try to separate users of development servers and users of production servers.

But even so, the rigging of payoffs from this Super Bowl of horse racing required outside conspirators, as well. Harn confessed to orchestrating this scheme with a pair of fraternity brothers from Drexel University.

In Pick Six, the bettor must correctly choose the winning horse in each of six selected races at a particular track. In this case, it was Arlington Park, just outside of Chicago. Bettors can make wagers over the phone, the Internet or from other horse tracks and watch-and-wager locations throughout the country.

Bettors who correctly pick the winning horses in each of the six races get to split the pot. For example, if only four people pick the six winning horses, they equally split the pool of money bet by their fellow bettors. In this case, the Pick Six pool was well over $3 million.

Key to the attempt to take advantage of the system is the timing of the bets. It always helps to know who wins. Indeed, in legitimate Pick Six competition, bettors must pick the winning horses in all six races before the first race begins.

In this case, one frat brother, Derrick Davis, 29, opened an account at a satellite wagering location in upstate New York that allowed wagers by phone. Harn says he knew—because he had set up the system—that this location didn't make a recording of touch-tone wagers, as many other states require.

With the account established and, presumably, untraceable to Harn, Davis phoned in his Pick Six wager shortly before the races began in Illinois.

Davis bet on individual horses to win in the first four races and then bet on all the horses in the final two races to win the last two races, meaning that if the individual horses he selected in the first four races won he would be assured of winning his Pick Six wager regardless of which horses won the fifth and sixth races.

That might have been good enough to ensure a winning piece of the pot. But apparently Harn got greedy. Working from Autotote's headquarters that Saturday, Harn changed codes on Davis' bets to the winning horses in the first four races. Then, he attempted to cover his tracks by manipulating the system's audit trail.

Harn knew betting information from off-site locations was not transmitted to the main pool in Arlington until after the fifth race. So, in the approximately 30 minutes after the end of the fourth race, he simply changed the wagers stored at the New York computer before the off-site data arrived at the end of the fifth race.

The 30-minute gap is nothing new. "It's been that way since the mid- or late '80s," says a source close to Autotote who participated in the investigation that led to Harn's arrest. "It's called an 'intertote systems protocol.' At the time, it was set up simply as a way to commingle the data from different locations. It wasn't devised with security in mind."

Peter Neumann, principal scientist at SRI International, a not-for-profit research institution, says this kind of security flaw is all too common in the commercial sector. "This is an example of a very simple exploitation of a rather stupid design flaw. This is how most security gets compromised in almost any custom system."

Neumann says most companies spend so much of their technology time on getting the business functions they want that they forget about securing their systems from their own employees. He says online banks, Internet gambling sites and even electronic voting booths are particularly vulnerable to corrupt programmers.

"As a general rule, there are hundreds of weak links within any IT organization," he says. "Even more when you build a custom system for voting or betting. And just because you fix one weak link doesn't mean there aren't others, many others, you haven't considered."

The reason for delaying the bets from satellite locations, according to Autotote, wasn't that there was too much congestion in the tote systems, but simply a shortsighted business process that had been in place for years.

"Like many things, it was status quo," the Autotote source says. "The protocol was designed to provide a functional solution to the problem of collecting wagers and deriving odds from multiple locations. From a business perspective, that information didn't need to be transmitted until the last minute."

Autotote's network was built on the Open VMS operating system, with three redundant Alpha servers, developed by Digital Equipment in 1978. Analysts say it's one of the most secure and functional operating systems around and a popular choice for banks, medical institutions and the U.S. military.

Autotote and its leading competitors, AmTote and United Tote, are now working to eradicate the intertote systems protocol to allow all wagers to be transmitted after each and every race. Autotote is also going to install independent control systems that mirror the activity on the network in real-time from a third-party location.

Security experts say recording and examining system activity—establishing "audit controls"—is crucial to preventing similar abuse.

"One of the biggest problems any company can have is not configuring the audit control on your operating system," says Chris Wysopal, director of research and development at @Stake, a digital security consultant. "The truth is many companies don't turn on their audit controls because they aren't turned on by default."

But setting up controls makes no difference, unless a security operation also establishes a safe place to monitor activity from; and regularly does so. "Usually, companies don't bother to go back and review audit trails until something goes wrong," Wysopal says. "Until they review those logs, they have no idea what's going on."

Setting up a separate authentication server at an off-site location that tracks which employees are logging in, and what they're doing and when, should prevent even a company's most senior technology administrator from compromising the network.

"You really want to separate the privileges as much as possible," Wysopal says. "There's no product you can buy anywhere that will tell you when insiders with valid credentials and passwords are doing something they shouldn't be doing."

Here's some more information from the Daily Racing Form:

Pick six trio surrenders
By MATT HEGARTY

WHITE PLAINS, N.Y. - The three suspects in the Breeders' Cup pick six investigation surrendered to the authorities Tuesday, then were arrested and named in a criminal complaint accusing them of conspiring to commit wire fraud.

The suspects - the former Drexel University fraternity brothers Derrick Davis, Chris Harn, and Glen DaSilva - were handcuffed and then escorted by marshals into federal district court at 10:23 a.m. Eastern time. Later, the three appeared before U.S. Magistrate Judge Mark D. Fox, who released each of them on $200,000 bond and placed restrictions on their travel.

The three have not been charged with a crime, but prosecutors said they will pursue a variety of fraud and conspiracy charges when they present evidence to a grand jury over the next month as they seek an indictment. The United States attorney's office for the Southern District of New York will have until Dec. 17 to issue an indictment, according to Judge Fox.

James Comey, the U.S. attorney for the Southern District, said that investigators believe Harn, a former employee of Autotote Systems in Newark, Del., who was fired on Oct. 31, altered pick six and pick four bets placed by Davis and DaSilva through a telephone-wagering account at Catskill Off-Track Betting Corporation. Autotote, the country's largest totalizator company, processes wagers for Catskill.

Davis's bet, which triggered the investigation, accounted for all six winning tickets on the Breeders' Cup pick six on Oct. 26. The payout, which has been withheld, was $3.1 million. DaSilva's bets, placed on Oct. 3 and Oct. 5, paid $109,365, the complaint said.

"The complaint alleges that these defendants used their access to computer systems and Mr. Harn's expertise to create a sure thing," Comey said. "It also makes clear that they bet that law enforcement would not catch them, but that's a bet they couldn't fix."

This was the first public appearance for the three suspects, whose names emerged separately as the investigation unfolded. All three wore expensive-looking suits and refused to speak with reporters or answer questions.

Lawyers for the suspects denied the accusation in the criminal complaint, which was filed on Nov. 8 but was not made public until Tuesday. Comey and other officials involved in the investigation said they would not comment on any evidence beyond what was listed in the complaint.

The charge of conspiracy to commit wire fraud, if included in an indictment, would carry a maximum penalty of five years in prison and a fine of $250,000. Comey said that prosecutors would pursue additional charges that could put the suspects "behind bars for a lengthy period of time."

Harn, Davis, and DaSilva, all 29, attended Drexel University in Philadelphia and were fraternity brothers at Tau Kappa Epsilon, which is popular with business and computer students. None of the three graduated, although Harn and DaSilva attended the school for six years.

Investigators have said they believe that to alter the bets the three suspects exploited several security gaps in the way bets are processed. The gaps would allow tote company insiders to enter computer systems to change a pick six bet after the first four races and to change a pick four bet after the first two races, investigators said.

According to the complaint, Harn, a senior computer programmer at Autotote, had access to data collected by Autotote at remote sites around the country. The complaint said that Harn had access to bets placed through a Catskill betting hub in Poughkeepsie, N.Y., maintained by Autotote on Oct. 26, the day the Breeders' Cup was run at Arlington Park outside Chicago.

The complaint said that Harn reported to Autotote's headquarters in Newark, Del., on Oct. 26 even though he was not scheduled to work that day. On that day, Harn received a call on his cell phone from a cell phone used by Davis during the time the Breeders' Cup races were being run.

While at Autotote, Harn "was involved in upgrading Autotote's computer systems for the purpose of implementing the [touch-tone telephone] wagering system" that Autotote marketed and sold to racing clients, including Catskill, the complaint said.

Harn, who lives in Delaware, spoke only in brief sentences while appearing in court on Tuesday afternoon, and he stuttered during his first response to Judge Fox about whether he understood his legal rights. Former co-workers have said that Harn has struggled with a stuttering problem for most of his life.

Harn was the first to leave the courthouse, brushing aside reporters while quickly lighting a cigarette before getting into a car with his lawyer, Dan Conti.

Davis, the complaint said, opened his account at Catskill OTB on Oct. 18, eight days before the Breeders' Cup was run. On Oct. 26, he placed the disputed pick six bet from Maryland using Catskill's touch-tone telephone betting system, selecting a single horse in the first four races and all the horses in the final two legs. The wager, in a $12 denomination, cost $1,152.

At the hearing, prosecutors revealed that a urine sample provided Tuesday morning by Davis had tested positive for cocaine. A retest also was positive, according to court officials.

Through his lawyer, Steve Allen, Davis denied using cocaine at any time in the past.

"He has not used any drugs, and he has no idea why he would test positive," Allen told Judge Fox. The judge warned Davis that if he tested positive while released on bond, he could be put in jail.

The complaint said that DaSilva won a pick four bet placed through Catskill on races at Balmoral on Oct. 3. The bet used one horse in each of the first two races and all the horses in the last two. DaSilva opened the Catskill account earlier that day.

Two days later, DaSilva bet a pick six ticket with an identical structure to the bet Davis placed on the Breeders' Cup pick six, although in a $16 denomination. The payout on that ticket was $107,608.

On Oct. 7, DaSilva faxed Catskill a request for an $80,000 check, the complaint said, and DaSilva deposited the check on Oct. 15 into an account at Citibank in New York, where he lives.

Comey said that prosecutors are pursuing ways to freeze the bank accounts of the three suspects, but he would not provide details. "We are aggressively pursuing all ill-gotten gains," Comey said.

DaSilva's lawyer, Ed Hayes, said on Tuesday after his client's court appearance that "the government has not shown any evidence" that DaSilva's bets were not legitimate. Conspicuous by its absence in the complaint is any connection of DaSilva to Harn on Oct. 3 or Oct. 5, even though the complaint makes specific and explicit connections between Davis and Harn on Oct. 26.

"The only thing that we know for sure is that Autotote has the world's worst computer security," Hayes said. "And they have had the world's worst computer security for 20 years."

Racing and tote officials have raised questions about the quality of the security controls that underlie Autotote's system, pointing to the fact that company officials initially claimed that Davis's wager was legitimate. The company rapidly backtracked on Oct. 31 when it announced that it had fired Harn.

Comey said that computer experts in the F.B.I., the New York State Police, and the U.S. attorney's office would uncover more evidence down the road.

"This is our bread and butter: computer crime and garden-variety fraud," Comey said. "There's nothing really fancy here. I'm not worried about getting embarrassed on this one."

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.