Auto dealership employee bricks car fleet

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 E-mail: [email protected] Web: www.computerfraudandsecurity.com Publisher: Laurence Zipson E-mail: [email protected] Editor: Danny Bradbury E-mail: [email protected] Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: 1085 for all European countries & Iran US$1178 for all countries except Europe and Japan ¥144 400 for Japan (Prices valid until 31 December 2010) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/ or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065 Pre-press/Printed by: Mayfield Press (Oxford) Limited

2

Computer Fraud & Security

...Continued from page 1 be divided among too many people (3.5 million plaintiffs) to be worthwhile. However, privacy groups protested the mechanics of the settlement, arguing that Facebook shouldn’t be on the board of the trust fund, and also complaining that consumers should have received direct relief as a result of the settlement.

Auto dealership employee bricks car fleet

Y

According to Texas Auto Center manager Martin Garcia, Ramos-Lopez was “pretty good with computers”, although the alleged hacker couldn’t have been that good; investigators tracked him down by finding an IP address for offending Webtech sessions in system logs. You’d have thought that someone going to those lengths to gain revenge on a former automative employer would have taken the road less travelled, and perhaps researched something like Tor before sparking up their browser.

ou’ve heard about Apple potentially bricking iPhones, but that’s small potatoes, compared to remotely disabling whole fleets of cars using centrally controlled computer systems. That’s just what a 20-yearold employee for a Texas auto dealership is being accused of doing after he was laid off last month.

Netflix cancels contest sequel

According to a report by Wired, Omar Ramos-Lopez, a former employee at the Texas Auto Center, was arrested after allegedly using a web-based vehicle immobilisation system to stop cars sold by the dealership from working. The Auto Center reportedly used a system from Pay Technologies called Webtech Plus. Designed to remotely disable cars whose owners are behind on their payments, the system can be made to remotely honk a car’s horn, or to prevent it from being started up. Ramos-Lopez is said to have had his account on the system closed when he left, but commentators close to the situation said that he gained access using another employee’s password. He was then allegedly able to set up a database of 1100 customers who had purchased vehicles from the Center’s four dealership lots, said the Wired story. He was able to disable the cars and set off their horns. Customers were calling the dealership in a confused state, asking why their horns were honking, and were forced to disconnect their batteries, said reports. Cars controlled by the Webtech Plus system are manipulated using a hardware device installed behind the dashboard, which is sent instructions via a wireless pager network. Cars cannot be stopped while they are in motion.

After a Federal Trade Commission investigation, and a lawsuit attempting to block the sequel, Netflix’ chief product officer Neil Hunt posted a message on the Netflix blog announcing that the second contest had been cancelled. Netflix had used anonymous movie rental data, pulled from its large database of customer information, and invited contest participants to refine the movie recommendation algorithm using the data. However, researchers at the University of Texas managed to deanonymise some of the data in the list of 10 million movie rankings by 500 000 customers. They compared rankings and timestamps with public information in the Internet Movie Database. “We have reached an understanding with the FTC and [have] settled a lawsuit with plaintiffs,” Netflix said in a statement. “The resolution to both matters involves certain parameters for how we use Netflix data in any future research programs. In light of all this, we have decided to not pursue the Netflix Prize sequel that we announced on August 6, 2009.” Most of the comments on the company’s blog reacted negatively to the move, supporting the idea of a contest. “Trending towards the lowest common denominator just isn’t progress,” said one angry participant in the discussion.

D

VD rental company Netflix has quietly cancelled a sequel to its Netflix Prize, a contest to enhance its movie recommendation technology using anonymous user data.

March 2010