A flawed RNG is an attackers dream, and a CISO’s worst nightmare.
Here’s exactly how not to use an RNG to generate tokens, keys, seeds and other cryptographic material.
Someone has a lot of explaining to do no doubt, especially as this flaw has been known since 2007 and easily avoided.
Given the scope of impact as noted in the article, I wonder what this means for any PCI PAN replacement tokens issued by systems which use this fatally flawed NSA RNG backdoor?
Predictable tokens? In scope of PCI ? Lots of explaining to do…especially when it might not be easy to retokenize away from all those potentially vulnerable tokens.
A flawed random number generator is an attackers dream, and a CISO’s worst nightmare.