This is episode No. 97 of Unsupervised Learning—a weekly show where I curate 3-5 hours of reading in infosec, technology, and humans into a 30 minute summary. The goal is to catch you up on current events, tell you about the best content from the week, and hopefully give you something to think about as well…

This week’s topics: Major WPA2 Flaw, Suburu hack, Vulnerable Container Ships, F-35 Data Stolen, Accenture S3 Buckets, tech news, human news, ideas, discovery, recommendations, aphorism, and more…

Listen and subscribe via…

Read below for this episode’s show notes & newsletter, and get previous editions…

InfoSec news 





It looks like WPA2 might be broken in some major way, with a vulnerability name of KRACK for Key Reinstallation Attack, and the full paper is going to be released soon. The upshot seems to be people eavesdropping on your wireless traffic and extracting the data, even if you’re using WPA2. Expect this to be a favorite vulnerability for a long time, keeping in mind that TLS still helps significantly. Link



A vulnerability in Suburu key fobs allows an attacker to steal vehicles and lock out the owner due to the use of predictable codes. The researcher, Tom Wimmenhove, also showed how to build the car stealing device, which costs around $25 to make. Link



Container ships are basically floating ICS systems connected to the internet, and one researcher has found a bunch of them on Shodan and says they often use default and weak credentials. Link



The DoD has confirmed that an Australian defense firm was hacked, and the attackers stole classified data on the F-35 fighter jet. They evidently popped a public-facing server and used shared credentials to move laterally once inside. The malware used was called China Chopper, which has been used by Chinese hackers in the past. Link



Accenture got caught with their S3 buckets down, and disclosed a bunch of sensitive keys, credentials, and customer data, including up to 40,000 plaintext passwords that might belong to Accenture customers. At this point these stories are producing a nervous laughing/weeping. It’s like we know exactly what the problem is but people still aren’t seeing if they have it. Link



Hyatt hotels has had its second breach in 2 years. They said their cybersecurity team discovered signs of unauthorized access of payment information of certain Hyatt-managed locations. I’d tell you to change your credit cards, but it really wouldn’t matter. This is the new normal. Link



Google is nerfing their Home Minis because they were deployed in an “always listen” mode and someone figured it out and went public about it. I can’t imagine Amazon or Apple making this mistake, but I could imagine from Facebook and Google. This is why I won’t be deploying any of their home assistant technology anytime soon. Link



Forrester had a data breach on its website allowing attackers to steal the content it provides to its customers. The PR release was quite nimble. Link



Lockheed Martin, Boeing, Raytheon, and Northrop Grumman all lack HTTPS on their main websites. Ridiculous. Link



Patching: October Windows Security Updates, , WPA2, Flash





Technology news 





The MICrONS project, conducted through Baylor, CMU, Harvard, and Princeton and IARPA, are looking to spend $100 million to reverse engineer the brain once and for all. Link



Alibaba is doubling its R&D spend to $5 billion, but that’s less than a third of what Amazon is spending. Fear Amazon. I don’t care if you make toilet paper or airplanes—be afraid of anyone spending more than $15 billion on R&D who’s willing to fail and is shipping products. Link



Bitcoin has topped $5,700. Link





Human news