SANS Stormcast Thursday, April 9th, 2026: Honeypot Fingerprinting; Microsoft Locks Developer Accounts; ActiveMQ Vuln;
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 9 April 2026
⏱️ 8 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello and welcome to the Thursday, April 9th, 2026 edition of the Sands Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from Jacksonville, Florida. And just as a reminder that there will be no Friday podcast due to my travel schedule. |
| 0:24.6 | And this episode is brought you by the sands.edu credit certificate program in industrial control |
| 0:31.1 | system security. Well, in diaries today, I wrote a little bit about how attackers are attempting to fingerprint |
| 0:39.4 | honeypots, in particular the honeypots we are using, like the little Python script, we use |
| 0:44.8 | to emulate web applications, and Cowry, of course, that is being used to emulate Telnet and SSH. |
| 0:51.2 | Well, those kind of honeypots are often considered medium interaction honeypots, |
| 0:56.5 | meaning that they try to emulate particular warnable or non-warnable devices, |
| 1:02.0 | but are of course far from perfect, and that makes it relatively straightforward to fingerprint them |
| 1:08.5 | and making sure that a particular device is a honeypot. |
| 1:12.3 | Now, one trick that this particular attacker, researchers, wherever it was, did employ, |
| 1:20.1 | was to use a name passport combinations that would definitely not show up in a normal system. So, for example, well, the username was admin |
| 1:30.7 | and the password then definitely not valid. Krets or usernames like Honeypotten, Honey Potter. |
| 1:37.8 | The idea behind this is that, for example, Cowrie that we're using to emulate Telnet and SSH, |
| 1:43.9 | well, it will sort of |
| 1:44.8 | randomly accept username and password combinations. So it will not just accept very specific |
| 1:50.6 | ones, but ever so often, will let, uh, basic, an attacker in no matter what username and |
| 1:55.5 | password they're using to see what commands they may be executing. And that's what they're |
| 2:00.6 | looking for if they're looking for. If they're |
| 2:02.5 | able to actually log in with a username like Honey Potter, well, they assume then that they are |
| 2:08.7 | connected to a Honeypot, which is a fairly fair assumption. Are we working on making a little bit |
| 2:15.1 | harder to fingerprint honeypots? |
| 2:17.7 | Yes, we always sort of log into this and may actually be adding some features to sort of, you know, |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.