Python and crypto-strength random numbers by default

Posted Sep 16, 2015 17:38 UTC (Wed) by jtaylor (subscriber, #91739)
Parent article: Python and crypto-strength random numbers by default

I'm curious, has there ever been a documented issue/exploit/breakin caused by the use of a good-but-not-crypto-good random number generation in the real world?
By good I mean for example a properly seeded MT or similar, not hilariously broken stuff like linear congruential with poor parameters or the Debian ssl key bug.

Python and crypto-strength random numbers by default

Posted Sep 16, 2015 18:49 UTC (Wed) by jimparis (guest, #38647) [Link]

This paper describes reverse-engineering a malicious worm by watching a /8 to see which IPs the worm probed. From there, they determined PRNG state and seeds, and used that to deduce everything from the system uptime and disk count of the infected hosts, to tracking down the "patient zero" computer where the worm started:
http://www.icir.org/vern/papers/witty-imc05.pdf

This paper describes PRNG attacks and has some real-world examples of a many PHP applications with PRNGs that were vulnerable in some form. It seems like the most frequent attack is in things like password reset tokens: request a password reset yourself, check your email and figure out the server's PRNG state, request a password reset for your victim, and use the known PRNG state to predict their token:
https://media.blackhat.com/bh-us-12/Briefings/Argyros/BH_...

This page describes an online betting-type game where the attacker was able to predict results from previous ones:
http://jonasnick.github.io/blog/2015/07/08/exploiting-csg...

These slides describe an attack on WPS that involves figuring out the PRNG state (slide 15):
http://www.slideshare.net/0xcite/offline-bruteforce-attac...