Hello and welcome to the Tuesday, January 9th, 2020,

edition of the Sansonet Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida. Jesse today went over the user agents

that he found in his honeypod logs, how to parse them, and what to learn from these user agents.

Of course, there are some user agents that are pretty obvious, like some of these Internet-wide

research projects, use specific user agents identifying them.

Then we also do have user agents that do look like normal browsers, but quite often turn out to be spoofed user agents.

Jesse goes over how to parse user agents, which isn't quite as straightforward as it probably could be, based on sort of a bunch of variations that can show up in the user agent format and then also how to

learn whether or not a user agent is likely fake or whether it is the actual user agent used

by the particular tool being used to scan the honeypot of course given that we're dealing with

honeypot data that guesswork is a little

bit easier. It's probably not a normal web browser that is visiting a Honeypot website.

And one thing that I personally found useful in particular in the past when he had to defend

against denial of service attacks is to basically just look at very old user

agents.

So, for example, Google Chrome versions before 100 and such, which often turn out to be spoofed.

I talked a couple times over the last few years about the efforts led by NIST to find a new standard

cryptographic algorithm that is quantum safe. And this is a lengthy process and there is

lots of work being done to make sure that the algorithm selected will be safe. And just as well, how difficult this can be, shows vulnerability was discovered, actually,

two different vulnerabilities discovered in Crystal Scyper.

Crystal Scyper is a key encapsulation mechanism that is part of these algorithms being

investigated by the National Institute of Standards and Technology or NIST.

...