Not So Random - Exploiting Unsafe Random Number Generator Use

Presented at Kiwicon X: The Truth is In Here (2016), Nov. 17, 2016, 6 p.m. (30 minutes)

PRNG? CSPRNG? Do these acronyms mean anything to you? What's the difference? Why does it matter? After all, your app's password reset tokens are definitely generated with a CSPRNG, right? This talk covers the exploitation of unsafe random number generation across a number of languages. Just how practical is it? In this talk we'll discuss a bit of background, what insecure random number generation looks like, and some practical examples of real-world exploitation. We'll then look at options that are available to developers to avoid these issues in their own applications.


  • Brendan Jamieson / hyprwired as Brendan "hyprwired" Jamieson
    Brendan Jamieson (@hyprwired) is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, OWASP New Zealand Day, and involved in a number of Kiwicons as a speaker; a trainer; and also co-event organiser for the Hamiltr0n CTF.


Similar Presentations: