This Week in Security: 70M Prisoner Call Records Leaked, New PoS Malware, Arrests in JPMorgan Hack

Our security roundup series covers this week’s trending topics in the world of InfoSec. In this quick-read compilation, we’ll let you know of the latest news and controversies that the industry has been talking about.

Here’s what you don’t want to miss from the week of November 9, 2015:

• More than 70 million records of phone calls made by United States inmates were leaked to reporters of The Intercept by an anonymous hacker. The publication reported that the data points to a major security breach at Securus Technologies, a provider of phone services inside the nation’s jails and prisons. Not only did the database include links downloadable recordings of the calls but also at least 14,000 conversations between inmates and attorneys, a violation of prisoners’ rights to confidential attorney-client communications.

“This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.”

• According to the director of the anonymizing service The Tor Project, the FBI paid researchers at Carnegie Mellon University “at least $1 million” to unmask users and reveal their IP addresses as part of a large criminal investigation. An FBI spokesperson has responded, saying the allegations are “inaccurate.” Meanwhile, Ed Desautels, a spokesman for Carnegie Mellon’s Software Engineering Institute, did not deny the accusations directly, stating: “I’d like to see the substantiations for their claim. I’m not aware of any payment.

• US authorities announced multiple arrests and indictments in connection with the separate hacks at some of the nation’s largest financial institutions and brokerage firms, including JP Morgan Chase, eTrade and Scottrade. According to US Attorney Preet Bharara, the hacking was done to support a series of stock-manipulation schemes, as well as gambling and payment-processing schemes. The incidents resulted in the theft of more than 100 million customer records – 80 million from one financial firm alone. 

• A breach of Comcast customer credentials prompted the cable provider to reset more than 200,000 accounts after a database of users’ email addresses and corresponding passwords were found for sale on the Dark Web. The list contained details of approximately 590,000 accounts for a total price of $1,000. However, only around 200,000 of those combinations were reportedly still current. Although it’s unclear how the breach occurred, Comcast claims its systems were not compromised.

• Researchers have discovered two new strains of point-of-sale (PoS) malware, including one that’s gone largely undetected for nearly five years, reported Threatpost. Dubbed ‘Cherry Picker,’ the malware has been targeting businesses selling food and beverage since 2011, stealthily using a combination of configuration files, encryption, obfuscation and command line arguments. The other type of PoS malware – known as ‘Abbadon’ – is the “latest in a long line of sophisticated PoS malware samples that have popped up,” said Kevin Epstein, VP of Threat Operations at Proofpoint.

“AbbadonPOS appears to have features for anti-analysis, code obfuscation, persistence, location of credit card data, and a custom protocol for exfiltrating data. Much like malware as a general category, the sophistication of this new malware over prior malware continues to increase,” said Epstein.

• A Belgian court has ordered Facebook to stop collecting digital information about users who don’t have accounts with the social media site or face fines of up to €250,000 ($269,000) a day. The ruling comes after the Belgian Privacy Commission filed a civil suit against the company in June, saying it tracks users who visit the site or use the “like” or “share” buttons, regardless of whether they own a Facebook account or not. The company said in a statement it plans to appeal the ruling, arguing the country’s data protection watchdog has no jurisdiction over its European business, as its headquartered in Ireland.

^{Image courtesy of Shutterstock.com}