Recently a researcher from SensePost posted a technique that can be used to defeat RSA’s software based SecurID tokens. The research shows that one of the key components to the number generation can be easily accessed from the local system and copied. To access this file the attacker must be the administrator or the actual user. It is important to note that this only applies to the software-based tokens, not the hardware based ones that are commonly seen on people’s key chains.
What is important here is that encryption is not a magic security tool. Even the most robust encryption algorithm can have security vulnerabilities in key generation or key storage, rendering it insecure. It is also important to note that securing the endpoint still remains a major concern at every level.Read More