Not So Random - Exploiting Unsafe Random Number Generator Use

Presented at Kiwicon X: The Truth is In Here (2016), Nov. 17, 2016, 6 p.m. (30 minutes)

PRNG? CSPRNG? Do these acronyms mean anything to you? What's the difference? Why does it matter? After all, your app's password reset tokens are definitely generated with a CSPRNG, right? This talk covers the exploitation of unsafe random number generation across a number of languages. Just how practical is it? In this talk we'll discuss a bit of background, what insecure random number generation looks like, and some practical examples of real-world exploitation. We'll then look at options that are available to developers to avoid these issues in their own applications.

Presenters:

• Brendan Jamieson / hyprwired   as Brendan "hyprwired" Jamieson
  Brendan Jamieson (@hyprwired) is a security consultant for Insomnia Security, based out of Wellington. He is active in the .nz infosec community, having spoken at Wellington's ISIG, OWASP New Zealand Day, and involved in a number of Kiwicons as a speaker; a trainer; and also co-event organiser for the Hamiltr0n CTF.

Links:

• https://2016.kiwicon.org/the-con/talks/#e269

Similar Presentations:

• Summercon 2014 / Exploiting Randomness: Fun Attacks Using a Compromised Random Number Generator
• 33C3 (2016) / Wheel of Fortune: Analyzing Embedded OS Random Number Generators
• 32C3 (2015) / The plain simple reality of entropy: Or how I learned to stop worrying and love urandom