2009-02-24T00:18:45Z

1) Actually Mark they are even more stupid than what you believe... :D
There are some sites (eg. http://cer.s603rd.cn/) which purpose is to create and distribuite DevCert to the users...
The main problem with this practice is that they have to distribute also the PRIVATE KEY (.key file) in order to allow users to use the DevCert.
With a simple search on TrustCerter database is then possible to obtain the PublisherID and then proceed with the ExpressSigned certification.

A very interesting test case...

2009-02-20T14:52:04Z

Given our recent discussion of the merits of Publisher IDs, this makes an interesting test case.

1) I'd love to find out where the Publisher ID that was used for signing this application can be traced to - I very much doubt there is any obvious connection to the author or any cyber criminals - they're just not that stupid. If they managed to do this once, surely they can do it again, and so can others...

2) I agree about OCSP checking but I think you'll find there's more than just enabling the feature in phones missing. As with most PKI stuff, the idea is good in theory but it doesn't work in practice.

3) Possibly this is 3rd Edition only and is using the old PlatSec exploits to escalate its capabilities. The example of an FP1 phone given in the report is the N73, which is plain 3rd Edition MR.

Mark

Gabor Torok's Forum Nokia Blog - Mobile worm, Yxes.A - an analysis

A very interesting test case...