Good evening, Brew Crew! We're diving into a trio of tech tremors that are sending shockwaves through the digital world. First up, Orange Spain's internet service takes a nosedive thanks to a crafty hacker's intrusion, spotlighting the ever-present threats in our connected landscape. Next, we shift gears to PandoraFMS Enterprise, uncovering a Pandora's box of vulnerabilities that could leave networks exposed to cyber shenanigans. And for the grand finale, we unravel the controversial aftermath of 23andMe's data breach. Here, the blame game reaches new heights as the company points fingers at the victims, igniting a fiery debate on data responsibility. So, buckle up as we explore these digital dramas, each a potent reminder of the delicate balance between technology, security, and ethics in our online universe! 🌐💻🔒

RIPE Account Hack Disrupts Orange Spain’s Internet Service

Orange Spain experienced a significant internet outage on January 3 due to a sophisticated hacking incident. The hacker, known as 'Snow', gained control of Orange Spain's account with RIPE NCC, a key internet registry in Europe and parts of Asia. This led to disruptions in Border Gateway Protocol routing and loss of internet traffic for several hours.

Felipe Canizares from DMNTR Network Solutions described the attack as one of the most ingenious against a major internet operator. The attack likely stemmed from malware, specifically the Raccoon information stealer, which compromised an Orange employee's computer in September and stole RIPE account credentials.

Snow's actions, while not demanding a ransom, caused significant disruption. The hacker stated their intention was to prevent a more severe compromise. Orange Spain confirmed the incident, assuring that no customer data was compromised and services were restored.

The RIPE NCC is investigating the breach and has restored Orange's account access, emphasizing the importance of updated passwords and multi-factor authentication.

PandoraFMS Enterprise v7.0NG.767: A Host of Vulnerabilities

PandoraFMS Enterprise v7.0NG.767, a network monitoring and management tool, was found to have 18 vulnerabilities, posing various security risks. Key issues include unauthenticated admin account takeovers, database backups accessible to any user, remote code execution, and several cross-site scripting vulnerabilities.

The most critical, CVE-2023-4677, allowed admin account takeover via cron log file backups, while CVE-2023-41786 exposed database backups to all users. Another significant risk, CVE-2023-41788, enabled remote code execution via a MIBS file uploader.

Other vulnerabilities ranged from arbitrary file reads, privilege escalation, and system denial of service attacks. Despite these issues, PandoraFMS's general security posture was mature, with robust RBAC controls and efforts to mitigate SQL injection, IDOR, and LFI.

Mitigations for these vulnerabilities were implemented across versions v773, v774, and v775. The discovery and subsequent fixes highlight the ongoing need for vigilant security practices in network management solutions.

23andMe Data Breach: Victim Blaming Amidst Legal Battles

23andMe faces over 30 lawsuits following a massive data breach, impacting nearly half of its 6.9 million customers. Despite the severity, the company has controversially shifted blame onto the victims. The breach, which started by hacking 14,000 accounts through credential stuffing, led to unauthorized access to the personal data of 6.9 million users, particularly those using the DNA Relatives feature.

Lawyer Hassan Zavareei criticized 23andMe's response, pointing out the company's failure to implement safeguards against known security risks, like credential stuffing. Despite 23andMe's claims that the breach was due to users' recycled passwords, Zavareei argued that the primary impact was through the DNA Relatives feature, not individual account security lapses.

23andMe's defensive stance in its letter to the victims, claiming that the stolen data cannot cause monetary harm, has been met with criticism. The company reset all customer passwords and mandated multi-factor authentication post-breach. Additionally, changes to their terms of service appear designed to limit collective legal actions by the victims.

These responses have not deterred the surge of class action lawsuits, reflecting growing legal and ethical concerns around data security and corporate responsibility in handling sensitive genetic information.