Home Tags Ventilation

Tag: ventilation

Nuclear waste facility receives its first shipment since 2014 accident

Shipments to the Waste Isolation Pilot Plant will ramp up in frequency through 2017.

Polar updates algorithms to make heart rate sensor better in new...

And a new accelerometer for better indoor running stats.

What IoT can learn from mobile management

Smart sensors and actuators everywhere to control building access, fuel valves, turbines, heating and ventilation, traffic lights, parts pickers, and much of our infrastructure’s operations—that’s the dream of the industrial internet of things.

But there’s also a nightmare: All those devices operate with little oversight, so maybe you don’t have the data you need, maybe a valve won’t turn off when it should, or maybe a terrorist has taken them over to sabotage an oil rig or dam.The truth is that the industrial internet of things is largely in place already, through thousands of proprietary deployments of sensors and actuators.
Industry has been automating for years, and IoT is simply the new form of that automation, adding more connectivity and logic to the mix.

Critical devices are already monitored, managed, and secured—but often inefficiently or sporadically, creating a different risk and high cost as more IoT devices get deployed.To read this article in full or to leave a comment, please click here

Paging 1994: Crap encryption still rife in devices

Switch to asymmetric keys, stat! Pager communications in industrial environments often run over unencrypted channels, creating a hacker risk in the process. Industries such as energy, manufacturing, and transportation still make extensive use of pager technologies that have been superseded in other sectors of the economy. Researchers at Trend Micro warn that criminals might easily monitor the unencrypted pager data being sent by companies using a only a $20 dongle and some software defined radio know-how, as a blog post by Trend Micro explains. Our analysis of unencrypted pager messages in countries like the US and Canada revealed that critical infrastructure sectors like nuclear power plants, substations, power generation plants, chemical plants, defense contractors, and other industrial environments like semiconductor and commercial manufacturers, and heating, ventilation and air conditioning (HVAC) companies are still using pagers to this day. Unfortunately, we discovered that communication through pagers is not secure at all.
Since pager messages are typically unencrypted, attackers can view pager messages even at a distance—the only thing attackers need is a combination of some know-how on software-defined radio (SDR) and US$20 for a dongle. Data gathered can include email addresses, project codes, and employee names, excellent fodder for subsequent (highly targeted) social engineering attacks.

Alarm/event notifications (on leaks, mechanical failures, deviations, etc.), diagnostic information and information on ICS or SCADA devices and network configurations are also leaked through the insecure channel. Organisations that are still using pagers are advised to switch to an encrypted paging system with asymmetric keys, Trend Micro recommends. More details can be found in a white paper entitled Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry by Trend Micro here (pdf). Previous research by Trend Micro addressed the related problems posed by unencrypted pager comms in healthcare. ®

PCI Council wants upgradeable credit card readers … next year

Tamper-proofing and shielding against side attacks on the agenda The Payment Card Industry Security Standards Council (PCI Council) has floated a new standard it hopes will reduce credit card fraud that starts at the point of sale, in part by allowing easier upgrades. The new version 5.0 of the PCI PIN Transaction Security (PTS) Point-of-Interaction (POI) Modular Security Requirements emerged late last week.

The most notable new bits of the proposed standard (PDF) are: A new control that means point of sale card readers “... must support firmware updates.

The device must cryptographically authenticate the firmware and if the authenticity is not confirmed, the firmware update is rejected and deleted.” Tamper-proofing requirements so that an attack involving “drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings” results in devices becoming inoperable and deleting all data; Requirement that devices be verifiably immune to leaking keys if probed using side-channel methods such as monitoring for electromagnetic emanations; The changes have been made in response to the prevalence of card skimming attacks and as recognition that retailers need the ability to respond quickly as threats emerge. Hard-to-upgrade card-reading kit retards security efforts as retailers resist expensive upgrades when they address obscure attacks. Making card readers upgradeable should mean better point of sale security.

That the the United States is now adopting the chip-and-pin (EMV) wireless payment technology so prevalent elsewhere is also cited as a reason for the new round of changes. But even pre-EMV technologies need better wireless security: Samsung's Magnetic Secure Transmission (MST) technology lets phones talk to magnetic stripe readers.

Even those small exchanges of electromagnetic energy are potentially sniffable, with keys a bigger prize than individual cards. The new standard comes into force in September 2017, when the current version 4.1 will fade away. ®

Printers now the least-secure things on the internet

BitDefender's senior threat analyst Bogdan Botezatu despairs of IoT security The Internet of Things is exactly as bad a security nightmare as pessimists think it is, according to Bitdefender's Bogdan Botezatu. The senior threat analyst at the Romanian security software company called by to chat to Vulture South while in Australia (we were, I suspect, meant to discuss the company's 2017 launches, but conversation digressed from the start, and there's plenty of time between now and the end of the year). The Register has long been following the persistent awfulness of “SOHOpeless” broadband routers, but Botezatu says they've already been overtaken by the awfulness of other things. “We get a lot of telemetry in our vulnerability assessment labs,” he said. “The router is no longer the worst device on the Internet.
It's now the printer.” That's a pretty big claim to make, given that in in less than a month, we've discussed the no-we-won't-fix-it Inteno router from Sweden and the record-setting Chinese surveillance router. Botezatu himself has been horrified by routers acting as “smart home gateways”: for example last year, he tested one such device, and was pleased at its default security posture, but there was one problem. “It allowed unauthenticated downgrades to the firmware,” he said. “So it doesn't matter that it looks secure.” But the printers still win out: many, he said (without identifying the guilty party), offer public shares that are visible to the Internet (because lots of home users also leave their routers too close to default configuration). Creating a power point that's “smart” and exposed to the Internet – like this one – is just stupid, because there'll never be sufficient security that someone's home ventilation machine can't be switched off by an attacker, Botezatu told Vulture South; a coffee-pot is an invitation to disaster, and “a smart electric oven should be just illegal”, he said. There's a huge expectation gap between how ordinary people think of their whitegoods, and what happens when the Internet of Things invades them. “We expect appliances to have a long lifetime, but vendors won't support them with updates forever,” he said. Once the world gets to the point where there's no “dumb” option for a refrigerator or washing machine, consumers will be in a squeeze. Either they'll be force-marched into buying a new refrigerator/washer/dryer /microwave because the software is end-of-life; or they'll be stuck with a product that's vulnerable to attackers. “There's always an attack surface”, he said. “The Internet of Things overcomplicates things massively. “How do you patch things that have no user interface?” Certainly not by any kind of vendor push-process – because that means vendors will hold credentials of some kind, and we know that golden keys inevitably leak somehow. There's a (euphemistic) shedload of IoT vulnerabilities already, Botezatu said: “It's scary, it's complicated, and it's potentially lethal.” In a world where very simple social engineering spam still works to drop ransomware, he said, layering of security is still the best defence – signature detection, followed by heuristics, followed by behavioural analysis. But the last layer, Botezatu fears, always seems to be “luck”: and in a world where a vulnerability could be a vector to burning down a house, that's just not good enough. ®

Nuclear waste accident 2 years ago may cost more than $2...

According to the Department of Energy, this is an exploded waste drum in the dump. "Damage can be seen to the slip sheet on top of the waste container and there are remnants of a magnesium oxide bag also visible."Department of Energy reader comments 12 Share this story The Los Angeles Times is estimating that an explosion that occurred at a New Mexico nuclear waste dumping facility in 2014 could cost upwards of $2 billion to clean up. Construction began on the Waste Isolation Pilot Plant (WIPP) in New Mexico's Carlsbad desert in the 1980s (PDF).

The site was built to handle transuranic waste from the US' nuclear weapons program.

The WIPP had been eyed to receive nuclear waste from commercial, power-generating plants as well. According to the LA Times, the 2014 explosion at the WIPP was downplayed by the federal government, with the Department of Energy (DoE) putting out statements indicating that cleanup was progressing quickly.
Indeed, a 2015 Recovery Plan insisted that "limited waste disposal operations" would resume in the first quarter of 2016.
Instead, two years have passed since the incident without any indication that smaller nuclear waste cleanup programs around the US will be able to deliver their waste to the New Mexico facility any time soon. Ars contacted the DoE for comment and has not received a response. We will update this article if we hear back. The 2014 explosion apparently occurred when engineers at the Los Alamos National Laboratory were preparing a drum of plutonium and americium waste—usually packed with kitty litter (yes, kitty litter)—and decided to "substitute an organic material for a mineral one." "The new material caused a complex chemical reaction that blew the lid off a drum, sending mounds of white, radioactive foam into the air and contaminating 35 percent of the underground area," the LA Times wrote.

The dump's filtration system, which was supposed to "prevent any radioactive releases," subsequently failed. No workers were in the shafts of the dump at the time. Workers on the surface were only exposed to low doses of radiation due to the HEPA filters in the ventilation system. Still, the dump site was set to receive another 277,000 drums of radioactive waste from around the country.

The congestion is now creating a costly problem. The federal government renewed its contract with dump operator Nuclear Waste Partnership to the tune of $640 million extra for cleanup.

That number could grow, especially as federal officials now say the contaminated ventilation system on the dump needs to be replaced—a project that will not be completed until 2021. Until then, the dump must remain open, but it can not accept nuclear waste at the rate it had planned.

The dump costs $500 million a year to remain open, the LA Times reported. Meanwhile, feds also have to pay to house the nuclear waste being stored at sites around the US (in Washington state and Idaho, for example) that's supposed to be on its way to the WIPP. While there may be cheaper solutions to the problem, the Department of Energy is under pressure to fix the New Mexico dump to make good on a US agreement with Russia to fulfill mutual reductions of plutonium. WIPP is currently the primary destination for weapons-grade nuclear waste.
If it closes, a likely expensive and time-consuming disposal alternative would have to be proposed. Edwin Lyman, a physicist and nuclear expert at the Union of Concerned Scientists, told the LA Times that, "The decision means operations at the dump must resume.

They have no choice." That means that WIPP cleanup, including indefinite housing costs for nuclear waste around the country that was to be shipped to WIPP, could rank among the costliest nuclear waste cleanup efforts in US history, on par with clean up after Pennsylvania’s Three Mile Island disaster in 1979.

Cleanup after that incident cost the federal government about $1 billion, or $1.7 billion adjusted for inflation.