This week, Senate Democratic Leader Chuck Schumer (D-NY), Sen. Todd Young (R-IN), Rep. Ro Khanna (D-CA), and Rep. Mike Gallagher (R-WI) unveiled the Endless Frontier Act (EFA).

This newsletter doesn’t usually cover new legislation, much less proposed bills. But EFA is an exception since it seeks to turbocharge American “discovery, creation, and commercialization of critical tech.” By that, the lawmakers mean every technology you read about in this newsletter. 

EFA’s core proposals. There are three principal parts to the proposed bill:

• Restructure the National Science Foundation into the National Science and Technology Foundation (NSTF)
• In the NSTF, stand up a Technology Directorate that receives $100 billion over five years and operates like DARPA
• Hand the Commerce Department $10 billion to invest across 10-15 regional tech hubs over five years

This is great news for U.S. universities and businesses because EFA would pad R&D budgets, establish new scholarships, and create cutting-edge labs and fabrication plants. 

What’s driving the frontier mindset? The private sector overtook Washington in R&D investment four decades ago. EFA’s sponsors want to expand the pool of capital so that all of Washington’s tech priorities are advanced in the U.S.

The other reason for EFA, which its sponsors explicitly call out: China. While Beijing’s bid for tech supremacy is better described as a “slow burn” rather than a “Sputnik moment,” the country’s tech industrial base is now a genuine contender with the U.S. There’s more to come: 

• China plans to invest $1.4 trillion in emerging tech over the next six years. 
• Chinese chipmaker SMIC recently announced a $2 billion investment from state-backed funds. 
• Tencent will spend $70 billion on tech infrastructure over the next five years. 
  ​
  

“The U.S. needs to pursue with all-of-the-above strategy and intensify efforts,” a person familiar with the legislation said in a recent interview.

As Bill of Schoolhouse Rock’s “I’m Just a Bill” could tell you, EFA may never see the light of day. But adding $$$ to tech R&D and accelerating the U.S.-China tech decoupling are bipartisan priorities.

Attackers can steal data from Thunderbolt-equipped PCs or Linux computers, even if the computer is locked and the data encrypted, according to security researcher Björn Ruytenberg (via Wired). Using a relatively simple technique called “Thunderspy,” someone with physical access to your machine could nab your data in just a few minutes with a screwdriver and “easily portable hardware,” he wrote.

Thunderbolt offers breakneck transfer speeds by giving devices direct access to your PC’s memory, which also creates several vulnerabilities. Researchers previously thought those weaknesses (dubbed Thunderclap), could be mitigated by disallowing access to untrusted devices or disabling Thunderbolt altogether but allowing DisplayPort and USB-C access.

However, Ruytenberg’s attack method could get around even those settings by changing the firmware that controls the Thunderbolt port, allowing any device to access it. What’s more, the hack leaves no trace, so the user would never know their PC was altered.

If you intend to use Thunderbolt connectivity, it is strongly recommended that you Connect only your Thunderbolt peripherals; never lend them to anybody; avoid leaving your system unattended while powered on, even when screen-locked; avoid leaving your Thunderbolt peripherals unattended; ensure appropriate physical security when storing your system and any Thunderbolt devices, including Thunderbolt-powered displays; consider using hibernation (Suspend-to-Disk) or powering off the system completely. Specifically, avoid using sleep mode (Suspend-to-RAM).

He developed something called an “evil maid attack,” referring to an attacker who gets physical access to a PC in a hotel room, for instance. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired. “All of this can be done in under five minutes.”

The attack only requires about $400 worth of gear, including an SPI programmer and $200 Thunderbolt peripheral. The whole thing could be built into a single small device. “Three-letter agencies would have no problem miniaturizing this,” Ruytenberg said.

Intel recently created a Thunderbolt security system called Kernel Direct Memory Access (DMA) Protection that would stop Ruytenberg’s Thunderspy attack. However, that protection is only available on computers made in 2019 and later, so it’s lacking in any models manufactured before that. Also, many PCs manufactured in 2019 and later from Dell, HP, and Lenovo aren’t protected, either. This vulnerability might explain why Microsoft didn’t include Thunderbolt in its Surface laptops.

Intel just released a blog post giving its perspective on the issue.

Apple computers running macOS are unaffected by the vulnerability unless you’re running Boot Camp, according to Ruytenberg.
​
The researchers disclosed the vulnerabilities to Intel on February 10th, 2020, and Apple on April 17th. To find out if you’re vulnerable, there is a verification tool called Spycheck. To protect yourself, you should “avoid leaving your system unattended while powered on, even if screen-locked,” Ruytenberg wrote, avoid using sleep mode and ensure the physical security of your Thunderbolt peripherals.

Given the level of concern many users have had with Zoom’s security and privacy, the company has been hard at work during the first two weeks of April to bring better control to its video conferencing software. The first changes transformed the safety profile of using its service, albeit with additional overhead for hosts and people joining meetings. On April 8, Zoom’s CEO, Eric Yuan, told NPR, “When it comes to a conflict between usability and privacy and security, privacy and security [are] more important–even at the cost of multiple clicks.”

Here is a synopsis of the recent changes.

Passwords required. All free-tier accounts, free upgraded education accounts, and single-host paid accounts now need a password. It’s generated automatically and may be changed but cannot be removed. This blocks access by those who obtain the meeting ID but not the password, and it prevents access through bots trying to join randomly generated meeting IDs in the reasonable hope of connecting to a password-free session.

Meeting ID hidden. The meeting ID no longer appears in the title bar of Zoom apps to prevent it from appearing in screen captures posted on social media or elsewhere.

Waiting Room enabled. By default, the Waiting Room feature is now enabled for all accounts, even those that previously had the option turned off. The Waiting Room puts participants who attempt to join the meeting into a holding position. The host must admit them. It’s fussy, and if it’s unnecessary in your environment, you can override the default on a per-meeting or per-host basis.

Meeting locks. With a click of the new Security button, hosts can lock a meeting at any point to prevent new participants from being added to the Waiting Room or joining directly. Another click unlocks the meeting.

Name change prevention. Hosts can prevent participants from changing the name that appears when they join or request to join a meeting. Some people—both unwanted visitors and students who thought it was funny—were changing their names to derogatory or abusive forms during meetings.

Domain contacts visibility. Zoom no longer treats every user with the same domain in their email address as belonging to the same organization. Previously, anyone with a given address could view account information or add everyone to their contacts who had the same domain, excluding some significant ISPs and mail hosts, like Gmail and iCloud. That feature is now disabled for free tier and paid single-host accounts, and must be enabled on higher-tier paid accounts.
​
Traffic routed through China. The paths that data travels is a political, regulatory, and business question, not just a technical one. Citizen Lab’s report revealed that Zoom was routing some traffic that didn’t involve any participants in China through servers in that country. Zoom explained that it was an error in load balancing, which seemed plausible given the quick scaling of operations it needed to have. The company said it made permanent changes to prevent data passing through Chinese servers from outside the country. A new feature for paid users starts April 18, and those users will be able to select which of several regions data may pass through. Free users are locked to data centers in the region from which they subscribed. Apart from concerns about China, some people outside the United States don’t trust the National Security Agency or other US intelligence groups.

For more than a decade, security experts have had discussions about what's the best way of choosing passwords for online accounts.

There's one camp that argues for password complexity by adding numbers, uppercase letters, and special characters, and then there's the other camp, arguing for password length by making passwords longer.

This week, in its weekly tech advice column known as Tech Tuesday, the FBI Portland office positioned itself on the side of longer passwords.

"Instead of using a short, complex password that is hard to remember, consider using a longer passphrase," the FBI said.

"This involves combining multiple words into a long string of at least 15 characters," it added. "The extra length of a passphrase makes it harder to crack while also making it easier for you to remember."

The idea behind the FBI's advice is that a longer password, even if relying on simpler words and no special characters, will take longer to crack and require more computational resources.

Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password encryption.

Academic research published in 2015 supports this argument, explaining that "the effect of increasing the length dwarfs the effect of extending the alphabet [adding complexity]."

The FBI's advice echoes a now-infamous XKCD webcomic that made the concept of passphrases-over-passwords widely known among internet users.

Furthermore, NIST password recommendations issued in 2017 have also urged websites and web services to accommodate more extended password fields of up to 64 characters for this same reason – to let users choose passphrases instead of short passwords.
​
The same NIST guideline also recommended using passphrases over passwords when possible, a recommendation also picked up in a DHS security tip issued in November 2019, also urging users to give passphrases a try.

Apple’s new credit card has a curious security feature that will make it much more challenging to carry out credit card fraud.

The aptly-named Apple Card is a new credit card, built into your iPhone Wallet app, which the company says will help customers live a “healthier” financial lifestyle. The card is designed to replace your traditional credit card and give you perks, such as daily cash. Chief among the benefits is a range of security and privacy features, which Apple says – unlike traditional credit card providers – the company doesn’t know where a customer shopped, what they bought, or how much they paid.

But there’s one feature – a one-time unique dynamic security code – that will make it nearly impossible for anyone to use the credit card to make fraudulent purchases.

That three-digit card verification value – or a CVV – on the back of your credit card is usually your last line of defense if someone steals your credit card number, such as if your card is cloned or skimmed by a dodgy ATM or taken from a website through a phishing attack.

But rotating the security code will increase the difficulty for an attacker to use your card without your permission.

The idea of a dynamic credit card number first came about a few years ago with the Motion Code credit card concept, built by Oberthur Technologies, which included a randomly generating number built into a tiny display on the back of the card. The only downside is if someone steals your physical card.

Since then, other credit card makers – including Mastercard, the issuing payment provider for Apple Card – have worked to integrate biometric solutions instead. By enabling a fingerprint sensor on the card, powered by the card machine into which it is inserted, it was hoped that fraudulent purchases would be impossible. Other credit cards have worked to roll out biometric-powered credit cards. Again – a big letdown was online fraud, which still accounts for a vast proportion of fraud.

Apple Card seems to meld the two things: a virtual credit card with a rotating security code, protected by a biometric, like Touch ID or Face ID in newer devices. Better yet, the company’s debut physical titanium credit card won’t even have a credit card number.
​
Now, if someone wants to commit fraud, they need to steal your phone and your face or fingerprint.
Like other sensitive data – such as health, financial, and biometric data – any banking and credit card data is stored on the device’s security chip, known as the secure enclave.

For better and for worse, our lives have been revolutionized by the internet. But a new high-tech innovation known as 5G is set to transform everything once again.

The internet plays a pivotal role in our lives, thanks to broadband piped through our homes. But 'fifth generation' 5G will take this a giant step forward.

It will enable mobile phones to use wireless broadband that matches the best fiber optic speeds. We will be able to rip out old phone lines and internet cables that clutter the house – and instead use mobile reception for all our needs.

Experts believe 5G will lead to an explosion of new 'smart' gadgets that talk to our mobile phones through more reliable superfast signals – offering everything from fridge cameras that order groceries when the contents are running low, to robot chauffeurs that can take us around in a self-driving car.

The possibilities of this connection of gadgets – known as the ‘Internet of Things' (IoT) – seem almost limitless.

The 5G technology will start by making pin-sharp video phone calls the norm so we can ditch our landlines if we haven't already.

And with broadband download speeds of perhaps 200 Megabits per second (Mbps) – which is more than four times faster than the current average home broadband speed – the technology will also help us economize and be more secure.

Smartphone apps controlled by 5G will monitor our heating and lights – turning gadgets off when not needed – while providing 24-hour security with cameras viewed from our phones.

Get It to Everyone. But all of the good that is forecast for 5G will only happen when 5G is available to everyone.  In the UK, where 5G is moving more quickly than in the U.S., Ernest Doku, a technology expert at comparison website uSwitch, said, “5G has the potential to transform the way we live – but at this stage, it is no silver bullet as we still need to ensure everyone has access to the connection before it can change the world.”

Last year, it started was rolled out in several major cities though connectivity was still small and patchy. And you need an expensive new smartphone such as the Samsung Galaxy S10 to gain access.

So far, Apple devices cannot connect to the 5G network, and the revolution cannot begin in earnest until they do – which may happen when the latest iPhone models come out in September.

Beware New Malware. New 5G technology offers an exciting opportunity to improve our networks – but it also opens a new door for fraudsters.

One of the critical concerns is the threat of so-called ‘stingrays.’ This is where a criminal intercepts your mobile signal with a copycat aerial that tricks it into sharing encrypted identifying data about the phone.

Using this information, the fraudster knows what handset you are using, can track your exact whereabouts, and might even be able to hack into your phone operating system’s software.

Cybersecurity expert Colin Tankard, of Digital Pathways, said, “The public needs to be aware of the dangers of this new technology – and with more gadgets being hooked up to 5G, it increases the risk of problems if you should get hacked.”

Tankard believes those that embrace 5G must ensure they add a layer of security to their smartphones by downloading ‘virtual private network’ (VPN) software on to their handsets via an app and using a subscription service. 

Doku says: “Although it may be exciting to be among the first people to embrace this new technology, prices for 5G phones and access to the 5G network should both fall if you hold on for at least 12 months.”

Also, as a newbie, you may initially be disappointed as national coverage is still poor, and the number of gadgets connecting to 5G is limited.
​
But the potential for 5G to transform the way we live and manage our homes is really exciting.

In the UK, all Internet of Things (IoT) and smart consumer devices will need to adhere to specific security requirements, under new government proposals.

The legislation aims is to help protect citizens and businesses from the threats posed by cybercriminals increasingly targeting Internet of Things devices.

By hacking IoT devices, cybercriminals can build an army of devices that can be used to conduct DDoS attacks to take down online services, while poorly secured IoT devices can also serve as an easy way for hackers to get into networks and other systems across a network.

The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK's National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people's privacy and safety," said Matt Warman, minister for digital and broadband at DCMS.

They also follow on from the previously suggested voluntary best practice requirements. Still, the legislation would require that IoT devices sold in the UK must follow three particular rules to be allowed to sell products in the UK. They are:

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability, and it will be acted on promptly.
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in-store or online.

It is currently unclear how these rules will be enforced under any future law. While the government has said that its "ambition" is to introduce legislation in this area, and said this would be done "as soon as possible," there is no detail on when this would take place. A DCMS spokesperson said that the department would be working with retailers and manufacturers as the proposals move forward.

Many connected devices are shipped with simple, default passwordswhich in many cases can't be changed. At the same time, some IoT product manufacturers often lack a means of being contacted to report vulnerabilities – especially if that device is produced on the other side of the world.

In addition to this, it's been known for IoT products to stop receiving support from manufacturers suddenly, and by providing an exact length of time that devices will be supported will allow users to think about how secure the product will be in the long-term.

If products don't follow these rules, the new law proposes that these devices could potentially be banned from sale in the UK.

"Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cybersecurity is built into these products by design," said Warman.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people's privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought," he added.

"Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed," said Nicola Hudson, Policy and Communications Director at the NCSC.

"It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past."
​
The UK isn't alone in attempting to secure the Internet of Things – ENISA, the European Union's cybersecurity agency, is also working towards legislation in this area. At the same time, the US government is also looking to regulate IoT to protect against cyber-attacks.

The Smart Home market is currently badly fragmented because each vendor has been focusing on creating a separate ecosystem with devices that are difficult or impossible to connect with those of their competitors.
This situation may be about to end with the announcement of a new project called Project Connected Home over IP.

In a surprising move, Amazon, Apple, Google, along with the Zigbee Alliance have announced a joint effort to define a new standard that would remove those barriers by increasing interoperability and simplifying development for smart device manufacturers. They will join Zigbee Alliance members such as IKEA, NXP Semiconductors, Samsung SmartThings, Schneider Electric, and Signify in contributing to a project that aims to increase trust and adoption of smart things.

The new project is essentially a way to certify that whatever smart device you buy will work with your existing home setup and connect with your smartphone or voice assistant of choice. In other words, it will allow smart things to speak a common language, so they know what the other devices do and how to interact with them, hopefully, governed by better, end-to-end security and privacy protections.

The success of this project hinges on the idea that if companies build their products to connect using Internet Protocol-based technologies, it will be easier for consumers to invest in building up mixed ecosystems that are "secure, reliable, and seamless to use."

The companies involved will take an open-source approach, so each will bring some of their smart home technologies to the table so that a common protocol can be developed as quickly as possible with relatively lower costs. That includes Amazon's Alexa, Apple's HomeKit and Siri, Zigbee's Dotdot, and Google Weave and Thread.

Once that new standard is ready, it will work alongside existing connectivity standards such as Wi-Fi, cellular, and Bluetooth Low Energy. A logo on the boxes of smart things will make it easy for consumers to discern what devices are guaranteed to work with each other, and this should also make things easier for manufacturers who no longer need to worry about which standards to support. Similarly, developers will be able to follow a standard for "lifecycle events such as provisioning/onboarding, removal, error recovery, and software update."

Before you get too excited about the new development, keep in mind that a preliminary draft will be completed by the end of 2020, so we'll probably have to wait until at least 2021 to see this project bear fruit. And be ready to buy new smart things if you want these benefits, as existing ones won't necessarily be able to work with the new protocol.
​
The new industry group will initially focus on physical safety products like smart locks, gas sensors, smoke alarms, security cameras, smart electrical plugs, and thermostats. Then they'll move on to cover most other smart home and commercial devices.

There's been a significant rise in cybercriminals using a particular phishing technique to trick workers into unwittingly installing malware, transferring money, or handing over their login credentials.

In conversation-hijacking attacks, hackers infiltrate real business email threads by exploiting previously compromised credentials –perhaps purchased on dark web forums, stolen or accessed via brute force attacks – before inserting themselves into the conversation in the guise of one of the group.

"Once they gain access to the account, attackers will spend time reading through conversations, researching their victims and looking for any deals or valuable conversations they can insert themselves," Olesia Klevchuk, senior product manager for email security at Barracuda Networks, said.

The idea is that by using a real identity and by mimicking the language that a person uses, the phishing attack will be viewed as coming from a trusted colleague and is thus much more likely to be successful.

Cybercriminals are leaning hard on this attack technique as a means of compromising businesses, according to new research from Barracuda Networks. Analysis of 500,000 emails showed that conversation hijacking rose by over 400% between July and November last year.

While conversation-hijacking attacks are still relatively rare, the personal nature means they're difficult to detect, are effective, and potentially very costly to organizations that fall victim to campaigns.

For cybercriminals conducting conversation-hijacking attacks, the effort involved is much greater than merely spamming out phishing emails in the hope that a target clicks, but a successful attack can potentially be highly rewarding.

In most cases, the attackers won't directly use the compromised account to send the malicious phishing message – because the user could notice that their outbox contains an email that they didn't send.

However, what conversation hijackers do instead is attempt to impersonate domains, using techniques like typo-squatting – when a URL is the same as the target company, save for one or two slightly altered changes.

But by using a real name and a real email thread, the attackers are hoping that the intended target won't notice the domain is slightly different and that they'll follow the request that's coming from their supposed contact, perhaps a colleague, customer, partner or vendor.

In some cases, it's been known for conversation hijackers to communicate with their intended victims for weeks to ensure that trust is built up.

At some point, the attacker will make their move and try to trick the victim into transferring money, sensitive information, or potentially installing malware.

"These attacks are highly personalized, including the content, and therefore a lot more effective. They have the potential of a huge payout, especially when organizations are preparing to make a large payment, purchase, or an acquisition," said Klevchuk.

"There is a great chance that someone will fall for a conversation-hijacking attack over a more traditional type of phishing," she added.

However, while conversation-hijacking attacks are more sophisticated than regular phishing attacks, they're not impossible to spot. Users should pay attention to the email address a message is coming from and be suspicious if the domain is slightly different compared to what they're used to seeing.

Users should also be wary of sudden demands for payments or transfers and, if there's doubt about the origin of the request, they should contact the person requesting it, either in person, by phone, or by starting a new email to their known address.
​
Organizations can also protect their employees from these attacks by implementing two-factor authentication, because by adding this extra layer, even if login credentials are stolen, attackers can't use them to conduct further attacks.

The new year is giving scammers an easy way to forge documents, but you can protect yourself with an easy New Year's resolution: Stop abbreviating the year.

Why? This year's abbreviation is easily changeable and could be used against you. The concern is that scammers could easily manipulate a document dated "1/1/20" into "1/1/2000" or even "1/1/2021."

Writing out the full date "could possibly protect you and prevent legal issues on paperwork," according to Hamilton County, Ohio, Auditor Dusty Rhodes.

Ira Rheingold, the executive director of the National Association of Consumer Advocates, says it's early in the year to cite examples, but scammers could use the method to establish an unpaid debt or to attempt to cash an old check.

"Say you agreed to make payments beginning on 1/15/20. The bad guy could theoretically establish that you began owing your obligation on 1/15/2019, and try to collect additional $$$," Rheingold wrote.

In the future, post-dating could be a problem too. For example, a check dated "1/1/20" could become "1/1/2021" next year, possibly making the uncashed check active again, Rheingold wrote. A similar method could be used for debts that are past the statute of limits.

The solution is easy: There's no harm in writing the full date. Writing the month out can also help. 
​
Write this: January 15, 2020. Not this: 1/15/20.