reporter

An individual or group is doing new probing of content delivery networks (CDNs), an effort that CSOs, CIOs and network administrators should worry about if they use CDNs instead of web application firewalls to protect websites. That’s the conclusion of Johannes Ullrich, dean of research at the SANS Institute, who this week said his organization’s honeypots last month detected a curious amount of traffic with server requests that include CDN-related headers. Perhaps, he said, someone is testing a tactic to evade CDN defences for launching either a targeted attack or a widespread distributed denial of service (DDoS) attack on a site. For example, the honeypots have seen headers on traffic that include: “Cf-Warp-Tag-Id,” which is associated with Cloudflare’s Warp VPN service; “X-Fastly-Request-Id,”, which is associated with the Fastly CDN; “X-Akamai-Transformed,” a header added by Akamai; and a puzzler: “X-T0Ken-Inf0.” Ullrich thinks it might contain a form of authentication token, but isn’t sure. In an interview, he said one explanation is that a threat actor is trying to get around a CDN’s filters by creating page requests that include a CDN-related header. Another possible explanation is that these requests are merely going through a CDN, but, Ullrich said, “the requests we’re seeing don’t quite look like that.” Internet requests are messages sent from a client such as a web browser to a web server, requesting a web page. A wave of requests can be a DDoS attack, or mask a different kind of attack. These days, many organizations use CDNs or cloud providers for basic DDoS protection and bot filtering in addition to load balancing. In a typical setup, Ullrich said, DNS is used to point clients to the CDN, which then forwards the request to a customer’s web server. However, there’s a problem: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways for users to prevent this. For example, depending on the CDN selected, it may be possible to allow access only from the CDN’s IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic. Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that have passed through the CDN. And a less secure option is to look for any header that identifies the CDN. However, Ullrich noted, merely looking for a header should be avoided, as attackers can easily include this header in their traffic. This appears to be the activity the SANS honeypot has been seeing since November. A spokesperson for CDN Cloudflare’s PR agency said a comment couldn’t be arranged by deadline. Related content: How a bot management file push crippled Cloudflare’s global network Kellman Meghu, chief security architect at DeepCove Security, says the activity seen by the SANS Institute’s honeypots isn’t new. But, he added, it only becomes an issue when there is improper access control, or the controls fail. “Origin web servers should be deployed with access controls, be it security groups or firewall rules, to only ever allow communication with the CDN service,” he said in an email. “Just deploying your web application as accessible to the world, and then overlaying a CDN to act as the front end seems like a terrible waste of money and effort. In today’s world of infrastructure-as-code, this can and should be easy to manage and mitigate as far as risk goes.” Aditya Sood, VP of security engineering and AI strategy at Aryaka, said in an email that a surge in requests that include CDN-related headers “is clear experimentation from threat actors, and the impersonation isn’t just random noise, its reconnaissance. Attacks are probing to uncover the weak origin validation in organizations who are trusting the mere presence of a CDN-specific header instead of enforcing proper controls like IP allowlists, private network peering, or cryptographically validated tokens. When you see multiple CDN fingerprints being spoofed at roughly the same time, it usually means new tooling or automated scanners are being deployed in the wild.” Proper origin hardening that includes strict IP allowlists, validated tokens, or private connectivity is essential to protect websites, he said. “Relying only on the presence of CDN-specific headers is no longer viable, and organizations that have not fully locked down their backend infrastructure may already be exposed.” Ullrich added that CDNs and other traffic filtering services will issue a unique value to each customer as proof that traffic has gone through its service, so web administrators should configure their web servers or next generation firewalls to only accept requests with that unique value. The activity SANS has seen is “definitely something that should be seen as a warning that something that could become more than it is now,” he said. “Now it’s only a curiosity, but it could easily become more. You [admins] need to follow your content delivery network’s guidance to protect your web server from attacks like this.” View the full article

Here are hints and answers for the NYT Strands puzzle for Dec. 5, No. 642.View the full article

Big Tech has lost its way. At WIRED’s Big Interview event, Techdirt editor Mike Masnick and Common Tools CEO Alex Komoroske announced a manifesto designed to help the industry get back on track.View the full article

The social media company is also testing a new AI support assistant for quick help.View the full article

Meta wants to make its AI hardware slicker and more fashion-forward. It also needs to make its software more usable. The way to do all that appears to be hiring design maestros away from Apple.View the full article

The cofounder and CEO of Circle says “money as an app platform” is the next step in a digital-based global economic system that’s right around the corner.View the full article

The Ceramic Shield 2 material that Apple uses for the iPhone 17 display includes an anti-reflective coating that's designed to cut down on glare. It's a coating that prior-generation iPhone models didn't have, and it can make a difference in bright lighting conditions. If you're someone who likes to use a screen protector with your ‌iPhone‌, you might be nullifying the anti-reflective property of the ‌iPhone 17‌ display, based on testing done by Astropad. Compared to the ‌iPhone 17‌, Astropad found that the anti-reflective coating reduces reflections by approximately 50 percent when compared to the iPhone 16, but applying a screen protector without an anti-reflective coating of its own makes the anti-reflective Ceramic Shield 2 coating less effective. According to Astropad, this is because AR coatings are created for direct contact with air, and covering them with an extra layer of material cancels the effect. Astropad did screen protector testing because it sells Fresh Coat, a screen protector with an anti-reflective coating, and it is promoting Fresh Coat through its testing and report. Astropad says that Fresh Coat and other screen protectors with an anti-reflective coating can replace or even outperform the anti-reflective properties of the ‌iPhone 17‌'s display. Fresh Coat by Astropad enhances AR clarity on any iPhone, creating a surface nearly 4x less reflective than the display on an iPhone 16 and 2x less reflective than iPhone 17's Ceramic Shield 2. Astropad did controlled testing with a light meter, and full testing results can be found on the Astropad website. This article, "Screen Protectors Without AR Coating Cancel Out iPhone 17's Anti-Reflective Display" first appeared on MacRumors.com Discuss this article in our forums View the full article

Sahil Lavingia, previously a DOGE operative at the Department of Veterans Affairs, is now a career employee at the IRS. He said at WIRED's Big Interview event that he expects to work there 10 years.View the full article

The United States Inspector General report reviewing Secretary of Defense Pete Hegseth's text messaging mess recommends a single change to keep classified material secure.View the full article

People like to rag on the Bay Area, but mayor Daniel Lurie believes there’s no better place in the world than San Francisco.View the full article

By rolling back auto industry fuel efficiency goals, US president Donald Trump hopes to make new cars cheaper. But prices won't drop for years, and consumers will spend more on gas in the meantime.View the full article

The author of Super Agers believes AI could bring big changes to the world of medicine.View the full article

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points. Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones. An instant message spoofing T-Mobile says the recipient is eligible to claim thousands of rewards points. The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points. A phishing website registered this week that spoofs T-Mobile. If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control. Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers: An SMS phishing or “smishing” website targeting AT&T users. Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States. “These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said. A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code. A text message that spoofs the District of Columbia’s Office of Tax and Revenue. CAVEAT EMPTOR Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world. Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products. A machine-translated screenshot of an ad from a China-based phishing group promoting their fake e-commerce shop templates. With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet. According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive. “The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.” Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received. “If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.” The SMS phishing reporting site smishreport.com. Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies. “Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.” SHOP ONLINE LIKE A SECURITY PRO As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms). If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store. If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down. But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling. So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process. Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize. View the full article

We analyze the top 100 channels across the most popular live TV streaming services.View the full article

The agency already opened an investigation in October over Waymo's performance around school buses. View the full article

Here are some hints and the answers for the NYT Connections puzzle for Dec. 5, No. 908.View the full article

Micro1 started the year with roughly $7 million ARR. Now, it claims to have surpassed $100 million in ARR, double what it reported in September. View the full article

When researchers asked AI models to explain how they solved puzzles, the models made stuff up. That's a big trust issue.View the full article

Here are hints and the answer for today's Wordle for Dec. 5, No. 1,630.View the full article

Tiimo, a visual planner for people with ADHD that uses AI, won the App of the Year award.View the full article

Apple loses two more top senior executives with exits of longtime general counsel Kate Adams and environmental VP Lisa Jackson. Meta’s Jennifer Newstead is set to join as new general counsel in 2026.View the full article

Cloudflare CEO Matthew Prince claims the internet infrastructure company’s efforts to block AI crawlers are already seeing big results.View the full article

Two senior Apple executives are leaving the company, Apple announced today. Apple's Senior Vice President and General Counsel Kate Adams and Lisa Jackson, Vice President of Environment, Policy and Social Initiatives, are both retiring in 2026. Adams will be replaced with Jennifer Newstead, who will join Apple as a senior vice president on January 1, and will become Apple's general counsel on March 1, 2026. Newstead is currently Meta's chief legal officer, and she was previously the Legal Adviser to the United States Department of State. When Newstead takes over as general counsel, Adams will not immediately leave. She will instead oversee the Government Affairs organization after Jackson retires in late January 2026. Adams will remain at Apple until late 2026, at which point Newstead will take over. Newstead will ultimately oversee both Apple's Legal and Government Affairs organizations as Senior Vice President, General Counsel and Government Affairs. In a statement, Apple CEO Tim Cook said that he is pleased to merge Legal and Government Affairs because of increasing overlap between the two teams. We couldn't be more pleased to have Jennifer join our team," said Cook. "She brings an extraordinary depth of experience and skill to the role, and will advance Apple's important work all over the world. We are also pleased that Jennifer will be overseeing both the Legal and Government Affairs organizations, given the increasing overlap between the work of both teams and her substantial background in international affairs. I know she will be an excellent leader going forward. Jackson's other responsibilities, which include Environment and Social Initiatives, will be taken over by Chief Operating Officer Sabih Khan. Cook said that Jackson played an important role in helping Apple achieve its environmental goals. I am deeply appreciative of Lisa's contributions. She has been instrumental in helping us reduce our global greenhouse emissions by more than 60 percent compared to 2015 levels," said Cook. "She has also been a critical strategic partner in engaging governments around the world, advocating for the best interests of our users on a myriad of topics, as well as advancing our values, from education and accessibility to privacy and security. Adams has been with Apple since 2017, and before that, she worked for Honeywell. Jackson joined Apple in 2013 after serving as Administrator of the U.S. Environmental Protection Agency, and she has been the face of Apple's environmental messaging since then. Apple's announcement comes shortly after lead interface designer Alan Dye left the company, and after AI chief John Giannandrea's retirement announcement. Earlier this year, Apple lost Chief Operating Officer Jeff Williams, who is retiring, and Chief Financial Officer Luca Maestri. There have also been rumors about Apple CEO ‌Tim Cook‌ retiring, with rumors suggesting he is preparing to leave his role as soon as 2026. This article, "Apple General Counsel Kate Adams and Environment Chief Lisa Jackson Retiring in 2026" first appeared on MacRumors.com Discuss this article in our forums View the full article

Here are the high-tempo holiday songs that get on your pets' nerves the most, according to research.View the full article

Sony's ULT Field 5 Bluetooth speaker is the winner of a CNET Editors' Choice award, and now you can grab it on sale for a massive 44% off.View the full article