Aussie InfoSec Researcher to Be SentencedPolice Charged Researcher With Network Intrusion
An Australian computer security researcher will be sentenced May 1 after pleading guilty to several charges related to unauthorized intrusions into the network of GoGet, a vehicle sharing service.
Nikola Cubrilovic of Penrose was charged in January 2018 with gaining unauthorized access to GoGet's network and parlaying the access to use GoGet vehicles without consent more than 30 times between May and July 2017.
GoGet runs a fleet of 3,000 vehicles across five Australian cities that customers can rent by the hour or day.
Computerworld reports Cubrilovic faced 39 charges, but the majority of the charges have been dismissed. Cubrilovic, who is free on bail, pleaded guilty earlier this month to four charges of taking a vehicle without consent, one charge of dealing with identity information and one charge of obtaining a financial advantage. He was originally due to face trial this week.
Efforts to reach Cubrilovic via Twitter and LinkedIn were unsuccessful. A GoGet spokesman says the company has no comment.
Known Bug Hunter
Cubrilovic was known within the Australian computer security community and had received media attention for his research.
In 2015, he discovered cross-site scripting vulnerabilities within the government's myGov site, which lets people file their taxes and access a variety of other support services and benefits. According to The Age, Cubrilovic found he could use the flaws to hijack anyone's myGov account.
"With the assistance of company staff, investigators identified that unauthorized access was gained into the company's fleet booking system and customer identification information from the database was downloaded."
—NSW State Crime Command Cybercrime Squad
He was fairly prolific on Twitter until about a year before his arrest at his home in Penrose in January 2018. Police seized computers, laptops and storage devices.
Detectives with the New South Wales State Crime Command's Cybercrime Squad began investigating the GoGet situation around July 2017. The squad formed a task force, called Strike Force Artsy, to investigate unauthorized access into the administrative sections of GoGet's website.
Police said at the time that GoGet quickly approached police when it noticed irregularities, which aided in the investigation.
"With the assistance of company staff, investigators identified that unauthorized access was gained into the company's fleet booking system and customer identification information from the database was downloaded," according to a police news release on Jan. 31, 2018.
Police: Payment Cards Accessed
Security research can be a legally dicey area, and it's not unheard of for researchers to get into tangles. Companies have occasionally accused researchers of hacking and contacted law enforcement, but the situations are usually resolved without charges once the air clears.
But Cubrilovic's case did not appear to be one of misinterpreted but well-intended research.
Initially, he was charged with 33 counts related to using GoGet vehicles without consent, two counts of unauthorized access and "modification, or impairment with intent to commit serious indictable offense," police say.
Police say it didn't appear that some of accessed customer information, which included a "small number" of payment card details, had been fraudulently used or distributed.