SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Wednesday, January 21st, 2026: Punycode Hunting; telnetd vuln; 6 day Certs and IP Certs; Oracle Patches
Jan 21, 2026
Explore the intriguing world of Punycode and its role in threat hunting, as experts suggest looking for specific patterns in DNS logs to sniff out impersonation attempts. Uncover critical vulnerabilities in legacy telnetd, where an authentication bypass could lead to serious security breaches. Discover the introduction of six-day certificates by Let’s Encrypt, particularly for IP addresses, and hear about Oracle's latest patch update that addresses a staggering 337 vulnerabilities. Stay informed and secure!
AI Snips
Chapters
Transcript
Episode notes
Hunt Punycode In DNS Logs
- Check DNS logs for Punycode (xn-- prefix) to find potential international domain impersonation attempts.
- Prioritize hits where the TLD is ASCII but a label uses Punycode, as that often indicates impersonation.
Browser Differences Affect Punycode Visibility
- Browser behavior affects Punycode attack visibility; Safari often shows native characters while Chrome shows punycode.
- Detection value depends on your users' browser mix and which domains they visit.
Disable Telnet And Patch Inetutils
- Disable telnet and remove inetd's telnetd if you run it, especially on IoT devices.
- Update GNU InetUtils to patch the authentication bypass that allows passing arbitrary usernames to the login shell.