Search results

Wednesday, February 20, 2019 @ 03:02 PM gHale

By Gregory Hale
Memory sticks, thumb drives, flash drives, or just plain USB; whatever you call them, they all provide a valuable service, and like it or not, just about everyone in the manufacturing automation sector uses them.

The catch is, while they remain a valuable tool, manufacturers are in a constant battle to eliminate them from the plant floor – and with good reason.

ARC: Safety and Profitability Work Together
ARC: Safety, Security Hand in Hand
ARC: Security and Digital Transformation
S4: Getting a Handle on Consequences

“USB threats are shifting away from malware to how USB devices behave,” said Sam Wilson, global product marketing manager for Honeywell Cyber Security, during a talk at the ARC Industry Forum 2019 in Orlando, FL, earlier this month. “There are USBs when you plug it in acts like a keyboard. It is no longer safe to assume when something looks like a USB storage device, it is a USB. It may not be safe to use.”

That is one reason why Honeywell unveiled its latest version of Secure Media Exchange (SMX) during the industry forum. SMX is a device that can protect industrial operators against new and emerging USB threats. SMX includes capabilities to protect against a broad range of malicious USB device attacks, which disrupt operations through misuse of legitimate USB functions or unauthorized device actions.

In short, the user can plug their USB into the SMX device and it will be able to tell if there is any malicious software on the device. Once SMX clears the device, it is then OK to use out on the plant floor.

USB Protection
In the latest release there are advanced protections to complement additional SMX enhancements to malware detection, utilizing machine learning and artificial intelligence (AI) to improve detection by up to 40 percent above traditional anti-virus solutions, according to a Honeywell study. Together, these updates to the SMX platform deliver enterprise-wide USB protection, visibility and control.

USB devices include flash drives and charging cables, as well as many other USB-attached devices. They represent a primary attack vector into industrial control system (ICS) environments, and existing security controls typically focus on the detection of malware on these USBs.

New research by Ben-Gurion University shows there are new categories of USB threats that manipulate the capabilities of the device standard to circumvent traditional security controls and directly attack ICS.

Since manufacturing automation professionals use USB devices more often than not, these USB assaults represent 75 percent of today’s known USB attacks. These attacks can weaponize common USB peripherals like keyboards, speakers.

‘Dirty Little Secret’
“There is a dirty little secret out there, we need to start protecting against actual devices itself,” Wilson said. “The weak link sinks the ship. Three quarters of attacks can attack through the device itself and not through malware on the device.”

Wilson gave examples of named USB attacks like “USB Harpoon, which is storage device that ends up connected and attackers can gain information.” BashBunny which is a USB looking device that contains a mini computer. RubberDucky, which contains a keyboard.

Part of using the SMX, Wilson said, allows for good security basics:
1. Enforce technical controls
2. Monitor and manage network traffic
3. Regular, rapid AV updates
4. Patch and Harden end nodes
5. Consider restricting personal USB devices
6. Deploy (and test) back and recovery

The latest SMX technology release includes:
• Centralized Management which provides visibility of USB devices entering industrial control environments and centralized threat management across all SMX sites
• ICS Shield Integration which provides additional visibility into USB activity on protected end nodes, closing the loop between centralized management services and distributed protections inside the ICS
• Expanded SMX offering provides multiple form factors to meet specific industrial needs, including portable SMX ST models for busy operational staff, and fully ruggedized models that meet industrial use cases including hazardous environments

SMX has been out for a few years and last year Honeywell released a report about what ICS attacks they have found since manufacturers started using the device.

In the anonymized report, 16 percent of malware blocked by SMX was targeted specifically against ICS or Internet of Things (IoT) systems, according to the report.

On top of that, 1 in 4 (26 percent) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, the report found.

ICS Attack Malware
“It is not the fact there are threats on USB drives, everybody understands USB drives are the way for malware to move around,” Eric Knapp, chief engineer, cyber security solutions and technology at Honeywell Industrial Cyber Security said when the report released back in October. “I was surprised of the malware we did find, there was a lot of it that was potent. We have 16 percent specifically targeted for industrial control systems or IoT. Fifteen percent of the total malware found was big name stuff. We found Stuxnet, we found Triton, we found Mirai and a bunch of others. A surprising amount of it was capable of causing some sort of disruption.”

Even though manufacturers understand the inherent dangers of using USB drives, there is more pressure to limit network access to industrial control systems, so dependence upon removable media to transfer information, files, patches and updates has been greater than ever.

USB represents an even greater threat than spreading malware since a USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. As mentioned earlier, the USB device does not need to have malware on it to attack. BadUSB, a technique that turns USB devices such as fans and charging cables into potential attack vectors, is starting to become weaponized, according to the report.

Best Practices
The report findings illustrate the importance of adopting and adhering to cyber security best practices, including:
• USB security must include technical controls and enforcement. Relying on policy updates or people training alone will not suffice for scalable threat prevention. Despite the widespread belief that USB drives are dangerous, and despite the prevalence of corporate USB usage policies, the data provides ample evidence USB security is poor.
• Outbound network connectivity from process control networks should be tightly controlled, and such restrictions should be enforced by network switches, routers and firewalls.
• Security upkeep is important: Antivirus software deployed in process control facilities needs to be updated daily to be at all effective.
• Patching and hardening of end nodes is necessary, despite the challenges of patching production systems.
• USB security is poor. Additional cyber security education is required for proper handling and use of removable storage. This is supported by the presence of video game cheat engines, password crackers, and known hack tools found among the samples analyzed. This can and should be addressed through employee and partner awareness programs.
• Ransomware is a serious threat to industrial facilities. The financial losses of ransomware is easily thwarted by maintaining regular backups and having a tested recovery process in place.

Wednesday, February 20, 2019 @ 11:02 AM gHale

By Alessandro Di Pinto
It’s important for those defending critical and industrial infrastructure to share knowledge and stay up-to-date on malware tradecraft.

With that in mind, when the GreyEnergy Advanced Persistent Threat (APT) ended up unveiled by ESET last year, I put my reverse engineering skills to work to analyze one of the malware’s infection techniques. This was the phishing email containing a malicious Microsoft Word document (maldoc) that lead to the installation of the malware (backdoor) on a victim’s network. ESET researchers said GreyEnergy operators have been strategically targeting ICS control workstations running SCADA software and servers for espionage and reconnaissance purposes.

A new research paper provides a comprehensive analysis of how the malware works, from the maldoc, to the custom packer and the final dropper (backdoor). This investigation is a more detailed analysis, with the deepest investigation done on the packer, an executable that decrypts and decompresses another executable inside itself.

SOC Central: Combining IT, OT
Managing Risk and Protecting Reputation
Russian Cyberattacks on Critical Infrastructure
17 Zero Days Cleared in OPC UA

This is a summary of the techniques used by the packer to conceal its true functionality. In addition for those wanting more detail, click here to register for the full research paper entitled, “GreyEnergy: Dissecting the Malware from Maldoc to Backdoor, Comprehensive Reverse Engineering Analysis.”

‘Packer’ Executable Concealed
When someone opens the Word document contained in the GreyEnergy phishing email, and clicks on “Enable Content,” malicious code is downloaded from a remote location.

The downloaded file is an executable which I suspected was a “packer,” i.e. an executable which contains one or more executables compressed and encrypted. While sometimes used legitimately to protect intellectual property, packers are also used by threat actors to hide malware.

As I investigated the suspected packer executable, I found it was built using several anti-analysis techniques:

Junk code – Unnecessary code that has no impact on the suspected packer’s code, and whose purpose is to confuse the reverse engineer. GreyEnergy contains a massive amount of junk code.

Overlapping instructions – GreyEnergy uses JMP instructions that function as overlapping instructions, where the same sequence of bytes can be interpreted as different instructions, depending on the exact byte in which execution starts.

JMP-based execution code – The execution flow of the suspected GreyEnergy packer is almost completely based on the use of JMP instructions, instead of sequential instructions. This makes it very hard to identify the true executable, hidden in a sea of junk code. Furthermore, the binary file of the suspected packer appeared to have overlay data. This is data appended at the end of the file that includes an additional executable component, and is decrypted during run-time.

Entropy – This is an assessment of a file’s randomness. Using one measure of entropy, with a scale of 0 to 8, where results of 7 or more indicate encryption, GreyEnergy has a score of 7.994. This is a strong indicator overlay data is encrypted.

Malware Revealed
After assessing the above aspects of the malware, I had a strong suspicion that I was dealing with a packer, but lacked solid proof. I decided to switch to a dynamic analysis approach to order to speed up the investigation. I then discovered several interesting attributes of the suspected packer file:

Hardcoded imports – The WinAPIs called by the suspected packer are not contained in the PE import table, but loaded at runtime and pushed ono the stack using a mov instruction, without any kind of obfuscation technique.

String overwrite – The suspected packer overwrites all strings with zeros, after the strings have been loaded into memory.

By now, there are multiple indicators that strongly suggest the binary is a packer:
• Apparently encrypted overlay
• Anti-analysis techniques
• APIs manually resolved by parsing the PE header
• Strings hardcoded inside the code and overwritten with 0x00s after use

Accessing the overlay
– The malware uses a series of steps to identify where the overlay starts and the exact size of its own executable, and allocates space for itself inside the memory. Analysis reveals exactly how the malware identifies the right offset for the overlay.

Decryption algorithm – The malware uses a custom algorithm to hide its malicious components. When the decryption algorithm is applied, it is clear the data contains an executable. However, there are several unexpected bytes between the recognized patterns, indicating the data is not yet complete. I suspected that the data is compressed somehow.

Decompression algorithm – My suspicion is quickly confirmed, and after decompression, the new buffer contains a valid Portable Executable (PE) header.

Original entry point (OEP) – Next the packer points to the uncompressed buffer, parses the PE header and iterates all sections again. Once it accesses the overlay data, a second PE header is revealed, which is the real malicious component (backdoor), waiting to be installed inside the victim’s systems.

It’s now possible to identify two specific components from the unpacked data – the dropper and the backdoor.

The suspected packer executes the dropper in-memory without storing it inside the filesystem. This step confirms the binary is a packer, because it has just demonstrated all the primary characteristics of packers.

The flow executed by the Packer includes decryption and decompression of the Dropper and Backdoor.
Source: Nozomi Networks

Stealthy Infection
Once complete, my analysis showed the GreyEnergy packer is robust and capable of significantly slowing down the reverse engineering process. The techniques used are not new, but the tools and the tactics employed were cleverly selected. The threat actors’ broad use of anti-forensic techniques underlines their attempt to be stealthy and ensure the infection would go unnoticed.

Based on how well the malware disguises itself once it infects a system, the best way for industrial organizations to protect themselves from the GreyEnergy APT is to train employees on the dangers of email phishing campaigns, including how to recognize malicious emails and attachments.

In addition, critical infrastructure networks should always be monitored with dedicated cyber security systems to proactively detect threats present on the network.

As a direct outcome of this analysis, I developed tools to help analysts dissect this piece of malware. The GreyEnergy Yara Module, is high-performing code for compiling with the Yara engine. It adds a new keyword that determines whether a file processed by Yara is the GreyEnergy packer or not.

This tool, combined with the previously published GreyEnergy Unpacker (a Python script that automatically unpacks the dropper and the backdoor, extracting them onto a disk), saves other security analysts the reverse engineering work.

Alessandro Di Pinto is a security researcher at Nozomi Networks. He is an Offensive Security Certified Professional (OSCP) with a background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) certification, which recognizes technologists with the skills and knowledge to reverse engineer malware and conduct forensic investigations.

Tuesday, February 19, 2019 @ 03:02 PM gHale

Coal fired plants are continuing their downward spiral as the Paradise and Bull Run plants will close, Tennessee Valley Authority (TVA) said Thursday.

The intent is to close the final Paradise unit by the end of 2020, and the Bull Run plant by the end of 2023, said TVA CFO John Thomas said. The Paradise Fossil Plant is in Muhlenberg County, Kentucky. The Bull Run plant is near Oak Ridge, TN.

Coal Ash Fire at AK Power Plant
Hurricane Causes Coal Ash Breach
Knowing which Oil, Gas Wells Leak
EPA Must Apply Chem Safety Regulation: Court

“Analysis over the past several months shows that closing two additional fossil plants is the right action to take at this time, financially and operationally,” outgoing TVA President and Chief Executive Bill Johnson told board members. “It is not about coal. This decision is about economics.”

The half-century-old coal plants were designed to operate at full capacity about 80 percent of the time, he said. They can’t be speedily started, or easily provide varying levels of power.

“To get these plants to run on Thursday, you have to start them on Tuesday,” Johnson said.

The changing nature of power demand, and of TVA’s generation system, means the two coal plants can only run about 10 percent of the time, and that’s just not cost-effective, he said.

The power provider is able to meet its base demand more economically without them, Johnson said.

“We can avoid over $1 billion of lifetime cost on these units,” he said.

But the retirements will only drop coal’s contribution to TVA’s generation system by about 1 percent, meaning the share of power coming from coal will remain at today’s 17 percent for the next decade, Johnson said.

TVA closed five coal plants from 1966 to 2016, including three since 2012. It still operates six; the loss of Paradise and Bull Run will drop that to four.

TVA will spend $2.3 billion on the rest of its coal fleet over the next five years; the two plant closures won’t really change what the agency spends on coal, Thomas said.

Johnson said he expects TVA to keep using coal until at least 2050; no further plant closures are currently under discussion.

The Paradise Fossil Plant in Muhlenberg County, Kentucky, began with two coal-burning units in 1963, adding a third in 1970. The two older units shut down in 2017, and the same year TVA opened a $1 billion natural gas plant on the site. The gas plant employs 30 to 35 people, according to TVA spokesman Scott Brooks.

Closure of the Bull Run plant near Oak Ridge passed unanimously. Several environmental groups immediately issued statements praising the decision to close the two coal plants.

Monday, February 18, 2019 @ 07:02 PM gHale

Oak Ridge and Los Alamos national laboratory researchers collaborated with Chattanooga utility EPB to demonstrate next-generation grid security technology. Back row, from left: EPB’s Ken Jones, manager, fiber design; Nick Peters, ORNL senior scientist and leader of the laboratory’s Quantum Communications team, and ORNL researcher Phil Evans. Front row, from left: Los Alamos’s Glen Peterson; EPB’s senior engineer for IT engineering Tyler Morgan; and EPB’s director of strategic planning Lilian Bruce.
Source: ORNL

A metro-scale quantum key distribution (QKD) is effective as a means of secure communication for the nation’s electricity suppliers, researchers found.

This revelation is part of joint public and private sector team’s three-year project focused on next-generation grid security.

System to ID, Patch Holes in Software
Blockchain to Secure Smart Manufacturing
Cyber Physical Systems Security Plan of Attack
Looking to Fund Blockchain Solutions

A team of researchers from the Department of Energy’s Los Alamos and Oak Ridge national laboratories partnered with EPB, a Chattanooga utility and telecommunications company, in the project.

“Recent demonstrations at Los Alamos have shown that QKD systems can operate on existing electric infrastructure in real-world settings, including during a historic snowfall,” said Ray Newell, Los Alamos research scientist and leader of the Lab’s quantum communications team. “Our partnership with Oak Ridge and EPB shows that utilities can realize the benefits of quantum security using a mix of distinct but interoperable communication systems.”

QKD harnesses the inherent randomness of quantum mechanics to authenticate and encrypt data. The technology allows two parties to share a secret “key” and alerts both parties to any third-party intrusion, a critical security capability as more of the nation’s grid is modernized and data are moved online.

The goal of this initial demonstration, conducted by ORNL’s Nick Peters and Phil Evans, Los Alamos’s Ray Newell and Glen Peterson, and EPB’s Tyler Morgan, Ken Jones, and Steve Morrison, was to prove the interoperability of disparate QKD systems. ORNL senior scientist Peters said because utilities are largely regional, providers use a mix of components and have fluctuating upgrade schedules. Ensuring that different utility providers can operate in sync across the nation’s electric grid is critical to realizing the potential of QKD on a national scale.

To prepare for the demonstration, ORNL researchers modified a commercial QKD system while Los Alamos developed its own custom system in-house; both systems generated separate keys that, when interfaced at a “trusted node,” or secure information exchange, generated a third key, which was then distributed between the Los Alamos and ORNL systems.

“This demonstration accomplished two things: it showed that different systems can operate together and it established the functionality needed to relay keys over larger distances often encountered on the electric grid,” said Peters, leader of ORNL’s quantum communications team.

ORNL and Los Alamos have dedicated years to developing quantum communications systems, and several technologies developed by the laboratories are currently licensed to industry.

The demonstration took place at EPB, which, according to ORNL’s Evans, is an ideal partner because the utility has deployed a fiber optic network in concert with its electrical distribution infrastructure. Besides that, “they are engaged with us on multiple projects for facilitating next-generation technologies to secure our nation’s infrastructure,” he added.

Secure Smart Grid
“EPB is excited about the results of our continuing research partnership with ORNL and Los Alamos, and the opportunities that we share to maintain the security and reliability of Chattanooga’s smart grid for our customers, as well as customers who are served by other utilities,” said EPB Director of Information Security Steve Morrison. “Our mutual goals align with EPB’s mission to improve quality of life and support the growth of the local economy.”

Despite the demo’s success, however, there is still plenty of work to do. Next, the researchers will work toward overcoming QKD’s notorious distance limitations.

Much like electrical resistance reduces the amount of electricity being transmitted as distance increases across traditional power lines, increasing the distance of fiber optic transmissions reduces the throughput of quantum communications. For the nation’s electric grid, increasing the distances over which these QKD systems can effectively be used is critical, and for that the researchers will once again rely on trusted nodes, in this case EPB’s electrical substations.

The eventual goal is to implement QKD systems in numerous substations, which are placed at intervals and are capable of relaying the quantum keys. ORNL’s Evans compared it to a relay race, in which one runner passes the baton to another, with each runner carrying the baton for a certain interval. By passing the baton at each substation before the signal is lost, the signal is refreshed for the next journey and so on, potentially expanding the range of QKD technology significantly.

Monday, February 18, 2019 @ 06:02 PM gHale

Stony Brook University computer scientist Nick Nikiforakis.
Source: Stony Brook University

There is a new project in development that attracts, “fingerprints,” and tracks web bots used for attacks, such as the exploitation of stolen credentials used to steal private information or money, in order to identify those behind the web botting.

Stony Brook University computer scientist Nick Nikiforakis received a 2018 Amazon Research Award or his work in Internet security. The award includes $64,000.

Radware Deals for Bot Mitigation Firm
CA Bill Forces Bots to Disclose ID
New Malware from Attack Group
New Backdoor Based on Hacking Team Tool

Nikiforakis, an assistant professor in the Department of Computer Science in the College of Engineering & Applied Sciences at Stony Brook University and affiliate of Stony Brook’s National Security Institute, works on practical, hands-on security and privacy, much of which includes the measurement of online abuse and countermeasures against unwanted tracking. The project is entitled “ICBots: Tools and Techniques for Detecting Web Bots.”

For the most part, web bots are benign. For instance, without bots there could be no Google search. Malicious web bots, however, are used for a variety of nefarious purposes including the exploitation of stolen credentials to log in to as many online assets as possible, in order to steal private information, money, or even air miles.

Nikiforakis’ ICBots project builds websites that exist only for the purpose of attracting web bots. These bots are then “fingerprinted” and tracked to identify which are malicious so they can be dealt with.

“Receiving an Amazon Research Award puts our project in very select company with many of the most well-respected academic institutions around the world,” Nikiforakis said.

Friday, February 15, 2019 @ 05:02 PM gHale

An old factory in Alliance, Ohio, in the process of being demolished ended up creating a HazMat situation, officials said.

As a result, the Ohio Environmental Protection Agency is now involved with the demolition of the T&W Forge complex, when they got the call of a hazardous materials incident Thursday in Alliance, OH.

Worker Suffers Chemical Burns
2 HazMat Incidents in Week at OR Intel Facility
HazMat Call to NC Tobacco Facility
3 Hurt in Energy Plant Blast

Alliance Fire Department responded at 2:35 p.m. Thursday to the 400 block of North Rockhill Avenue, after an area resident noticed a sheen on a nearby creek and notified the city engineer’s office.

City officials then notified state environmental folks.

“When I got on scene, I asked the company representative to contact the OEPA,” said Chief Jason Hunt, who had been in touch with Alliance Fire Department’s HazMat control officers and updated their strategy. “They felt comfortable in what we were doing at that point, and the OEPA was on its way.”

Jim Wallace Land Co. had been demolishing the T&W Forge complex, which is on 11.85 acres in the 900 block of Ely Street, since January. The company specializes in demolishing older factories and recycling materials, such as the metal and bricks, from structures.

T&W Forge once was part of Transue & Williams, a company that forged steel parts since the 1890s.

Hunt said the sheen on the water was an oil-based product running downstream from the site.

He said fire crews placed two booms near Rockhill Avenue and Harrison Street.

“The OEPA official was going to fortify those and place one more down,” he said. “We all had met upstream to make sure the water was clear before deciding the best course of action. During a field survey, we appeared to find the source of action, so we have asked the property owner to work with the OEPA to remediate the issue.”

Wednesday, February 13, 2019 @ 02:02 PM gHale

By Gregory Hale
Safety has always been a top priority at any manufacturing automation facility in the world, but creating a safety culture for all workers to participate is one thing, trying to make safety a profit center takes it to the next level.

“Safety is complex, it is not easy and has lots of challenges,” said Chris Stogner, brand director for Triconex Safety at Schneider Electric during a session at the ARC Industry Forum 2019 in Orlando, FL, last week. “You have to get it right all the time. Safety system is like a referee on the football field, if they are doing the job right you don’t know they are out there, but if they miss a call, just look at New Orleans a few weeks ago. Safety is always viewed as a cost. The more safely you operate the more profitable you will be.”

ARC: Safety, Security Hand in Hand
ARC: Security and Digital Transformation
S4: Getting a Handle on Consequences
S4: RF Controllers, a Simple Attack

Along those lines, Stogner and Farshad Hendi, safety practice leader at Schneider Electric, talked about EcoStruxure Process Safety Advisor, an IIoT-based digital process safety platform and service that can allow users to visualize and analyze real-time hazardous events and risks to their assets, operations and business performance.

Safety Advisor is built on Schneider’s EcoStruxure SIF Manager application for tracking and validating safety instrumented function (SIF) performance over the life of a plant. It provides a single view into the health and status of the user’s safety instrumented functions, which helps to identify potential risks and their impact on operations performance.

Platform- and vendor-agnostic, Safety Advisor extends the functionality of SIF Manager. Safety Advisor aggregates real-time data, analytics and insights from multiple sites and geographies into a single user interface so customers can create an accurate, enterprise-wide risk profile in real time. It also identifies the need to take corrective action via easy-to-understand performance dashboards and leading indicators for safety health and then documents the entire process using an embedded SIF audit trail that supports safety compliance.

Closing Gaps
“There is a gap that we have,” Hendi said. “Safety is a multi-disciplinary kind of practice. We have the people in management that need to decide about safety, people in operations that can impact safety and people in maintenance can affect safety and even engineering. When we see a gap and problems is when these teams are not talking to each other. We need a singular unit or a unique environment a collaboration environment where people can see the singular form of truth.”

Safety Advisor helps in three key elements:
1. Collaboration
2. Timing
3. Different enterprise connections

“The enterprise level wants to see what is happening with their assets,” Hendi said. “How do you know what is going on? These tools help each level of the enterprise close the layers (of information) together. That is a gap that is closed.”

It also gives “leading indicators that can show what is going on now and what may happen in the future,” he said. “You are able to drill down to see the information at individual sites. It provides a simplified view of what is happening and gives everyone the right information they need to make the right decisions for profitable safety.”

Safety for years has been a set it and forget it kind of thing where, yes, it needed maintenance and tuning, but it pretty much sat and protected the facility for years on end. That meant safety was a reactive process.

Proactive Process
“For the next many years, analytics will take advantage of the Big Data, rules engines and machine learning that will transform something that has been purely a reactive process to a proactive process that helps prevent nuisance trips, and unsafe events and hazardous events before they happen,” Stogner said. “We will be able to give good information that is contextualized and gives it to the right people to take the right action.”

Trying to change a mindset toward profitable safety in the industry is akin to changing the mind of a headstrong 5-year-old. It can happen but it won’t be easy. The same is true for organizations thinking about profitable safety.

“People still see it as a cost, but there are some that are coming around and grasping the concept of that which is not safe cannot be profitable,” Stogner said. “One of the watershed moments was in the summer of 2017 when the latest edition of 61511 came out and started making some of the things we said you should do to be profitable mandatory to become more safe. A lot of customers are trying to figure out ways to do it to help ease the burden.”

Wednesday, February 13, 2019 @ 11:02 AM gHale

Communities have a right to know what chemicals are released in industrial accidents, a federal judge ruled last week.

The ruling by Judge Amit Mehta of the U.S. District Court for the District of Columbia on Monday, Feb. 4, requires the U.S. Chemical Safety and Hazard Investigation Board (CSB) to determine and disclose what air pollutants are accidentally emitted by any industry the board monitors.

Feds Ink Chem Facility Security, Safety Charter
Fukushima Aftermath: Feds Rule on Lessons Learned
LA LNG Plant gets FERC Environmental OK
EPA Must Apply Chem Safety Regulation: Court

A lawsuit was filed in December 2017 by Public Employees for Environmental Responsibility, which argued the CSB should have been reporting chemical releases for years. While the 1990 law that created the CSB required it, the national safety board has never adopted such a mandate in its nearly 30-year existence.

Daniel Horowitz, managing director of CSB from 2000 to 2018, advocated for greater public reporting of chemical accidents during his tenure, he said.

“The big problem for community groups right now is there is no reliable database of chemical accidents,” Horowitz said. “The hope is with a rule like this there will be a one-stop shop for community groups and first responders to find out about chemical releases — what chemicals, what quantities and their effects.”

In California, reporting requirements are more stringent than in many other states, making the job of finding out information a little easier, but not much, Horowitz said.

“You really need a lot of expertise to find out what accidents have happened,” he said. “There is often a lot of leg work required.”

AB 1647, a bill sponsored by Assemblyman Al Muratsuchi (D-Torrance) and signed by then-Gov. Jerry Brown in 2017, will require by 2020 fence-line and community air quality monitoring around oil refineries along with reporting of the readings from those devices in real-time.

The South Coast Air Quality Management Agency (SCAQMD) in 2017 directed $2.77 million to enhance the monitoring and alert systems at the refinery in Torrance. But there is still a lot the public is not aware of.

At the SCAQMD’s board meeting Feb. 1, it was revealed for the first time 10 leaks of modified hydrogen fluoride or hydrofluoric acid (MHF) occurred since 2017 from the Torrance and Wilmington refineries. Those releases ended up detected using sensors on refinery property.

Four of the incidents involved the release of MHF at quantities greater than 10 parts per million (PPM). The lowest lethal dose for inhalation is estimated between 50 and 250 PPM for a five-minute exposure.

Tuesday, February 12, 2019 @ 03:02 PM gHale

A type of malware, known as a “clipper,” takes advantage of a user’s tendency to copy and paste addresses of online cryptocurrency wallets.

Since these addresses consist of long strings of characters, when copying and pasting, users leave the information on their clipboard.

Google Boosts Android Encryption
Skype Hole Exposes Android Users’ Data
Google Play Spyware Thwarted
Google Patches Android Vulnerabilities

This malware can then intercept the content of the clipboard and replace it surreptitiously with what the attacker wants to subvert, said Lukas Stefanko, a malware researcher at ESET in a post. In the case of a cryptocurrency transaction, the affected user might end up with the copied wallet address quietly switched to one belonging to the attacker.

This malware first made its rounds in 2017 on the Windows platform and was spotted in shady Android app stores in the summer of 2018. In February 2019, ESET discovered a malicious clipper on Google Play, the official Android app store.

Cryptocurrency stealers that rely on altering the clipboard’s content can be considered established malware. ESET researchers discovered one hosted on, one of the most popular software-hosting sites in the world. In August 2018, the first Android clipper was discovered being sold on underground hacking forums and since then, this malware has been detected in several shady app stores.

The clipper we found lurking in the Google Play store, detected by ESET security solutions as Android/Clipper.C, impersonates a legitimate service called MetaMask, Stefanko said. The malware’s primary purpose is to steal the victim’s credentials and private keys to gain control over the victim’s Ethereum funds. However, it can also replace a Bitcoin or Ethereum wallet address copied to the clipboard with one belonging to the attacker.

Tuesday, February 12, 2019 @ 01:02 PM gHale

A 54-year-old worker died after he was found in a vat of sulfuric acid at a South Lyon, MI-based steel manufacturing firm.

Daniel Hill was fully submerged in the 10-12 percent sulfuric acid solution Saturday afternoon as his Michigan Seamless Tube co-workers attempted to pull him from the industrial container, burning themselves from the at least 160-degree chemical solution, Fire Chief Robert Vogel said.

Wind Machine Incident Kills Worker
Worker Crushed at OH Steel Foundry
2 Workers Killed in CA Almond Shaker Incident
One Dead, 2 Hurt in Welding Shop Blast

“Other employees, co-workers saw him in the tank,” Vogel said. “He was completely submerged and was 100 percent covered in burns. The gentleman was trying to get out. They ran and grabbed him and pulled him out.”

Roughly 11 hours later, Hill died of chemical burns at 11:30 p.m. Saturday, said Kristin LaMaire, administrative assistant to the Washtenaw County Medical Examiner.

South Lyon police responded to an emergency call at about 12:21 p.m. to the manufacturing facility at 400 McMunn St., Police Chief Chris Sovik said. The employees placed Hill under a safety shower, and medics then transported him to the University of Michigan Hospital in Ann Arbor.

“He was speaking when we were there,” Vogel said. “He was walking and talking. Unfortunately, he passed. It was pretty extreme burns.”

It was unclear how Hill ended up in the vat and how long it was before he was rescued, he said.

The co-workers who assisted Hill sustained burns to their hands, Vogel said. Medics treated them at the scene.

Mark Hommel, a Michigan Seamless spokesman who works in human resources, described Hill as “a valued employee” who was with the company since April 2017. He said the company is conducting a “comprehensive investigation” and is “cooperating fully” with the Michigan Occupational Health and Safety Administration (MIOSHA) investigation.

Pardeep Toor, public information officer for the Michigan Licensing and Regulatory Affairs Department, said MIOSHA’s investigation of the incident has begun.

“MIOSHA cannot provide information on an open investigation,” he said. “Typically, this type of investigation may take several weeks or months to complete.”

Michigan Seamless Tube, one of South Lyon’s largest employers, has had seven workplace safety violations since 2012, according to the U.S. Occupational Safety and Health Administration, with fines totaling $93,000.

Michigan Seamless Tube is a wholly owned subsidiary of Hammond, Indiana-based Specialty Steels Works Inc. The company emerged from Chapter 11 bankruptcy in 2017 and renamed from Optima Specialty Steel. It also owns steel manufacturers Niagara LaSalle Corp. in Hammond and Corey Steel Co. in Cicero, Illinois.