
A closer look into the RSA SecureID software token - wglb
http://www.sensepost.com/blog/7045.html
======
jwilliams
If you've got a rootkit on the machine, an easier way is to simply read out of
memory? I presume the key would be in the clear, in memory at some stage.

~~~
csears
Lsadump, a tool they mention in the article, does just that for the Windows
machine key. The other token input data is protected with that key.

Reading a single token code out of memory from the soft token process while
running would certainly work if the targets computer was on and the soft token
was in use, but having a completely independent cloned instance gives the
attacker a lot more flexibility when impersonating the user.

