Highly regarded mobile security firm Lookout Security has just released a "Push Ad" detector. The free app will detect any apps on your device that contain code to ad networks that can push ads to your Android notification bar, push ad-enabled search icons to your device's desktop, or make setting modifications to your mobile browser.

You might recall a story we recently published, detailing Japanese carrier KDDI's moves into pushing ads to the notification bar of Android devices.

Push Ad Detector currently detects the following six ad networks, which Lookout says are ther ones that use the most aggressive push ad techniques.

• Airpush
• Appenda
• LeadBolt
• Moolah Media
• Startapp
• TapIt!

Note: just because an app includes the code from one or more of these networks does not mean that the app is actually using the push ad technology. It will still be detected by the Push Ad Detector, however.

Once the Push Ad Detector finds an app that integrates one of these ad networks, if possible, it will display a link enabling an end user to opt out of the ad network. Note the words "if possible."

If there is no opt-out link for the network, a user will need to remove the app to effectively opt-out. Push Ad Detector also provides a shortcut to the Application Details page for the app, from which a simple "uninstall" tap can be used to remove the app manually.

Although Lookout is a security company, this isn't a malware detecting app. It could be categorized as an adware detecting app, instead.

Speaking of a lack of security, online retailer Zappos.com (which is actually owned by Amazon.com) has been hacked, with personal information from its more than 24 million customers accessed.

All those customers will be required to reset their passwords, and the information stolen includes names, billing and shipping addresses, email addresses, phone numbers, and the last four digits of their credit card numbers. Customers' full credit card numbers were not accessed because they were stored in a separate database. Encrypted passwords were also stolen, but they would have to be decrypted.

On Sunday night, Zappos CEO Tony Hsieh wrote a warning message to employees, which included the text of the email Zappos would send to customers. In his message, he said,

"The most important focus for us right now is the safety and security of our customers' information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We've already reset and expired their existing passwords.)"

The email to customers says, in part,

"First, the bad news:

"We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

"THE BETTER NEWS:

"The database that stores your critical credit card and other payment data was NOT affected or accessed."

Back to the bad news, however. Zappos has taken the unusual step of disabling its telephone customer service lines, in anticipation of an overload. Hsieh said to employees:

"Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren't capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)"

However, at the same time, Hsieh said the company would have "all hands on deck," meaning even those not in the Customer Service department would be helping customers with questions.

While the loss of an encrypted password is probably not an issue, it brings to light a security flaw many end users have in their passwords: they use the same password everywhere. If the password is every acquired --- and in the clear --- that password can be used to open their Gmail, Amazon.com, etc. etc.

While difficult, it's best to use a separate password for every account, of every type. To manage their passwords, rely on a password manager of some type.

A hacker who goes by the handle "Yama Tough" has announced that he will post the full source code of Symantec Corp's Norton Antivirus software. As we reported earlier, however, the source code that was hacked from Indian government servers wasn't for Symantec's flagship Norton product, but instead for old (and we mean old) enterprise security software.

The source code was given to the Indian government in order for them to inspected by them to "ensure" that the product was secure. The authorities left the code on servers which were then accessed by the hackers, showing that the product may have been secure, but the Indian servers were not.

"Yama Tough" has already posted snippets of the code. The code released on Pastebin so far points to the code being from 1999. Symantec itself earlier said the code was from obsolete Enterprise products, not their Norton Security line of consumer products.

"Yama Tough" Tweeted: "This comming (sic) Tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow,"

In their latest statement, Symantec said:

"The code for Norton Utilities that was posted publicly is related to the 2006 version ... [and is] no longer sold or supported.

"The current version of Norton Utilities has been completely rebuilt and shares no common code with Norton Utilities 2006. The code that has been posted for the 2006 version poses no security threat to users of the current version of Norton Utilities."

Odds are that neither hackers or competitors will get much information out of this release, at least not current, up-to-date information. Still, despite the fact that the insecure servers were India government servers, there is still nothing so embarrassing as a security firm hacked in one way or another.

Symantec Confirms Leak of Source Code

"Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old," said Cris Paden, the company's senior manager for corporate communications.

The confirmation comes in light of recent claims made by a group of hackers that they've copied Norton AntiVirus source code from compromised servers belonging to Indian intelligence agencies.

Paden confirmed that the security breach didn't occur on Symantec's own network, but that of a third party entity. However, he declined to speculate about its identity until the ongoing investigation reveals more information.

At the recently held 28th annual Chaos Communications Congress (28C3), a hacker demonstrated how HP network print servers can hacked simply by printing a malware-laden document. He did this by reverse-engineering the HP printer firmware update process, and amusingly, HP actually had a firmware flag called "super-secret bypass of crypto-key enabled."

Just advertising a way to bypass your security isn't a great idea, HP.

The problems were detailed in Ang Cui's Print Me If You Dare presentation, where he showed how one malware-infested document make the printer post copies of the documents it printed them to an IP address on the Internet, or in a more scary example, make the printer scan the LAN for vulnerable PCs, turning any it found into a proxy server that could then access PCs on the LAN through a firewall.

HP now has new firmware available that fixes this vulnerability. Cui urged anyone with an HP network printer to apply the firmware; it's possible that hackers could create custom firmware that would make the printer report that it has the accepted the vulnerability-fixing firmware while instead discarding it.

Contrary to prior reports, printers vulnerable to this exploit cannot be overheated to the point that they can be turned into "flaming death bombs;" Cui debunked that the best that could be done was to lightly singe a sheet of paper.

The exploit isn't specific to HP printers, Cui believes. It's another example of how the more technology that is inserted into our lives, the more chance there is that something you wouldn't imagine could be hacked.

In response to a request made by U.S. Senator Al Franken (D-Minn.), AT&T, Sprint, Samsung and HTC have released the names of most the U.S. smartphones that contain the Carrier IQ logging software. In addition, the carriers have admitted that at least in "some instances," Carrier IQ logged the text content of SMS messages.

Naturally, "some instances" is some too many for consumers. That admission could possibly fuel additional lawsuits, in addition to those already filed. The responses from the companies can be viewed at Senator Franken's site.

Unfortunately, the list is incomplete. No. 4 U.S. carrier T-Mobile has not responded yet, nor has Motorola. This is also a U.S. carrier-only list, and Carrier IQ has said that the software is used globally.

However, the current list is the following. Note that Verizon has said it does not use Carrier IQ software in its handsets.

AT&T

AT&T said that approximately 900,000 customers had phones with Carrier IQ on them. The software is active on eleven AT&T devices:

• Motorola Atrix 2
• Motorola Bravo
• Pantech Pursuit II
• Pantech Breeze 3
• Pantech P5000 (Link 2)
• Pantech Pocket
• Sierra Wireless Shockwave
• LG Thrill
• ZTE Avail
• ZTE Z331
• SEMC Xperia Play

It's also installed but not active "due to the potential for the software agent to interfere with the performance" on the following phones. Notably, these are the new (and first set of) LTE phones that AT&T has recently released.

• HTC Vivid
• LG Nitro
• Samsung Skyrocket

Carrier IQ is also embedded in AT&T's Mark the Spot application, available for Android and RIM. That app is used to Mark the Spot of network issues. The iPhone version of the app apparently does not carry Carrier IQ.

Sprint

Sprint seems to be the biggest user of Carrier IQ in the U.S., with about 26 million active Sprint devices having the software installed. That's nearly half of all their subscribers, which currently number about 53.4 million. Sprint didn't detail exact handsets, but gave manufacturers instead. You can assume, based on that number, that all or nearly all of the Android handsets of these manufacturers are "infected."

• Audiovox
• Franklin
• HTC
• Huawei
• Kyocera
• LG
• Motorola
• Novatel
• Palmone
• Samsung
• Sanyo
• Sierra Wireless

Samsung

Samsung said about 25 million smartphones affected. The South Korean giant and No. 1 smartphone manufacturer globally said it has directly installed Carrier IQ in the following:

Sprint

• SPH-M800 (Samsung Instinct)
• SPH-M540 (Samsung Rant)
• SPH-M630 (Samsung Highnote)
• SPH-M810 (Samsung Instinct s30)
• SPH-M550 (Samsung Exclaim)
• SPH-M560 (Samsung Reclaim)
• SPH-M850 (Samsung Instinct HD)
• SPH-I350 (Samsung Intrepid)
• SPH-M900 (Samsung Moment)
• SPH-M350 (Samsung Seek)
• SPH-M570 (Samsung Restore)
• SPH-D700 (Samsung Epic 4G)
• SPH-M910 (Samsung Intercept)
• SPH-M920 (Samsung Transform)
• SPH-M260 (Samsung Factor)
• SPH-M380 (Samsung Trender)
• SPH-M820 (Samsung Galaxy Prevail)
• SPH-M580 (Samsung Replenish)
• SPH-D600 (Samsung Conquer 4G)
• SPH-M930 (Samsung Transform Ultra)
• SPH-D710 (Samsung Epic 4G Touch)
• SPH-M220
• SPH-M240
• SPH-M320
• SPH-M330
• SPH-M360
• SPH-P100
• SPH-Z400

T-Mobile

• T989 (Samsung Hercules)
• T679 (Samsung Galaxy W)

Cricket

• SCH-R500 (Samsung Hue)
• SCH-R631 (Samsung Messager Touch)
• SCH-R261 (Samsung Chrono)
• SCH-R380 (Samsung Freeform III)

AT&T

• SGH-i727 (Samsung Galaxy S II Skyrocket)

HTC

HTC said that it has preinstalled Carrier IQ on about 6.3 million Android phones, including:

• Sprint
• Snap
• Touch Pro 2
• Hero
• EVO 4G
• EVO Shift 4G
• EVO Design

T-Mobile

• Amaze 4G

AT&T

• Vivid

Senator Franklin has asked Motorola and T-Mobile to respond by Tuesday, Dec. 20.

The Carrier IQ software which is at the heart of this furball was discovered a few weeks ago by a security researcher. While since then the software's behavior has been shown to be less egregious that originally thought, it is still an issue that it was "hidden" on handsets for years without being "announced" or "admitted to" by any of the parties involved.

It's these sorts of tracking and logging behaviors that should be opt-in, not opt-out (oh, and by the way, there's no way, currently, to opt out of Carrier IQ logging), many would say, and certainly --- a degree of openness about this sort of "feature" would eliminate a lot of problems and consumer angst.

In response to a request made by U.S. Senator Al Franken (D-Minn.), AT&T, Sprint, Samsung and HTC have released the names of most the U.S. smartphones that contain the Carrier IQ logging software. In addition, the carriers have admitted that at least in "some instances," Carrier IQ logged the text content of SMS messages.

Naturally, "some instances" is some too many for consumers. That admission could possibly fuel additional lawsuits, in addition to those already filed. The responses from the companies can be viewed at Senator Franken's site.

Unfortunately, the list is incomplete. No. 4 U.S. carrier T-Mobile has not responded yet, nor has Motorola. This is also a U.S. carrier-only list, and Carrier IQ has said that the software is used globally.

However, the current list is the following. Note that Verizon has said it does not use Carrier IQ software in its handsets.

AT&T

AT&T said that approximately 900,000 customers had phones with Carrier IQ on them. The software is active on eleven AT&T devices:

• Motorola Atrix 2
• Motorola Bravo
• Pantech Pursuit II
• Pantech Breeze 3
• Pantech P5000 (Link 2)
• Pantech Pocket
• Sierra Wireless Shockwave
• LG Thrill
• ZTE Avail
• ZTE Z331
• SEMC Xperia Play

It's also installed but not active "due to the potential for the software agent to interfere with the performance" on the following phones. Notably, these are the new (and first set of) LTE phones that AT&T has recently released.

• HTC Vivid
• LG Nitro
• Samsung Skyrocket

Carrier IQ is also embedded in AT&T's Mark the Spot application, available for Android and RIM. That app is used to Mark the Spot of network issues. The iPhone version of the app apparently does not carry Carrier IQ.

Sprint

Sprint seems to be the biggest user of Carrier IQ in the U.S., with about 26 million active Sprint devices having the software installed. That's nearly half of all their subscribers, which currently number about 53.4 million. Sprint didn't detail exact handsets, but gave manufacturers instead. You can assume, based on that number, that all or nearly all of the Android handsets of these manufacturers are "infected."

• Audiovox
• Franklin
• HTC
• Huawei
• Kyocera
• LG
• Motorola
• Novatel
• Palmone
• Samsung
• Sanyo
• Sierra Wireless

Samsung

Samsung said about 25 million smartphones affected. The South Korean giant and No. 1 smartphone manufacturer globally said it has directly installed Carrier IQ in the following:

Sprint

• SPH-M800 (Samsung Instinct)
• SPH-M540 (Samsung Rant)
• SPH-M630 (Samsung Highnote)
• SPH-M810 (Samsung Instinct s30)
• SPH-M550 (Samsung Exclaim)
• SPH-M560 (Samsung Reclaim)
• SPH-M850 (Samsung Instinct HD)
• SPH-I350 (Samsung Intrepid)
• SPH-M900 (Samsung Moment)
• SPH-M350 (Samsung Seek)
• SPH-M570 (Samsung Restore)
• SPH-D700 (Samsung Epic 4G)
• SPH-M910 (Samsung Intercept)
• SPH-M920 (Samsung Transform)
• SPH-M260 (Samsung Factor)
• SPH-M380 (Samsung Trender)
• SPH-M820 (Samsung Galaxy Prevail)
• SPH-M580 (Samsung Replenish)
• SPH-D600 (Samsung Conquer 4G)
• SPH-M930 (Samsung Transform Ultra)
• SPH-D710 (Samsung Epic 4G Touch)
• SPH-M220
• SPH-M240
• SPH-M320
• SPH-M330
• SPH-M360
• SPH-P100
• SPH-Z400

T-Mobile

• T989 (Samsung Hercules)
• T679 (Samsung Galaxy W)

Cricket

• SCH-R500 (Samsung Hue)
• SCH-R631 (Samsung Messager Touch)
• SCH-R261 (Samsung Chrono)
• SCH-R380 (Samsung Freeform III)

AT&T

• SGH-i727 (Samsung Galaxy S II Skyrocket)

HTC

HTC said that it has preinstalled Carrier IQ on about 6.3 million Android phones, including:

• Sprint
• Snap
• Touch Pro 2
• Hero
• EVO 4G
• EVO Shift 4G
• EVO Design

T-Mobile

• Amaze 4G

AT&T

• Vivid

Senator Franklin has asked Motorola and T-Mobile to respond by Tuesday, Dec. 20.

The Carrier IQ software which is at the heart of this furball was discovered a few weeks ago by a security researcher. While since then the software's behavior has been shown to be less egregious that originally thought, it is still an issue that it was "hidden" on handsets for years without being "announced" or "admitted to" by any of the parties involved.

It's these sorts of tracking and logging behaviors that should be opt-in, not opt-out (oh, and by the way, there's no way, currently, to opt out of Carrier IQ logging), many would say, and certainly --- a degree of openness about this sort of "feature" would eliminate a lot of problems and consumer angst.

Microsoft is capitalizing on a recent Android malware scam by giving away free Windows Phones to five Android users with the worst malware horror stories. Ben Rudolph, Microsoft's Windows Phone evangelist, announced the contest on Twitter using the hashtag #droidrage. Microsoft followed Rudolph's lead and publicized the contest on its official Twitter feed.

This isn't the first time Microsoft has used free phones to win people over to its mobile platform. In August, the software giant offered free Windows Phones to webOS developers after Hewlett-Packard announced it was discontinuing its webOS device lineup. HP recently announced it would make webOS an open source project and may release a new webOS tablet in 2013.

RuFraud

Google recently removed 22 malicious apps purporting to be legitimate versions of popular programs such as Cut The Rope and Angry Birds. The apps were packaged with malware that would send fake text messages to premium-rate SMS numbers, costing the user around $5 per SMS.

The so-called RuFraud scam targeted European users and did not affect Android phones in North America. Lookout Security, the firm that first brought the scam to Google's attention, says it has since discovered another five RuFraud apps in the Android Market, bringing the total app count to 27.

Droid Rage in 140 characters or less

Microsoft is capitalizing on a recent Android malware scam by giving away free Windows Phones to five Android users with the worst malware horror stories. Ben Rudolph, Microsoft's Windows Phone evangelist, announced the contest on Twitter using the hashtag #droidrage. Microsoft followed Rudolph's lead and publicized the contest on its official Twitter feed.

This isn't the first time Microsoft has used free phones to win people over to its mobile platform. In August, the software giant offered free Windows Phones to webOS developers after Hewlett-Packard announced it was discontinuing its webOS device lineup. HP recently announced it would make webOS an open source project and may release a new webOS tablet in 2013.

RuFraud

Google recently removed 22 malicious apps purporting to be legitimate versions of popular programs such as Cut The Rope and Angry Birds. The apps were packaged with malware that would send fake text messages to premium-rate SMS numbers, costing the user around $5 per SMS.

The so-called RuFraud scam targeted European users and did not affect Android phones in North America. Lookout Security, the firm that first brought the scam to Google's attention, says it has since discovered another five RuFraud apps in the Android Market, bringing the total app count to 27.

Droid Rage in 140 characters or less

Carrier IQ has released a new report (.PDF), as it continues to try to "recover" from the public perception and reports that it logs keystrokes and is even being used in FBI investigations.

Carrier IQ (CIQ) is "coming clean" and sharing virtually everything about what it does and does not share with its partners. It even reveals, in the 19 page document, that the log files it uploads daily (during idle time) are about 200KB in size, but don't count against a customer's data cap (as it shouldn't).

However, here's the big deal for us, as we've said before: all of this "openness" should have been done before the first log file was uploaded. It's when things like this are discovered after the fact that a) misinformation is spread, b) people get upset.

In the document, Carrier IQ thanked Trevor Eckhart, who was actually the one who started this firestorm when he posted what appeared to be video evidence of Carrier IQ logging keystrokes.

Carrier IQ's response to that is detailed in the document.

"Our investigation of Trevor Eckhart’s video indicates that location, key presses, SMS and other information appears in log files as a result of debug messages from pre-production handset manufacturer software. Specifically it appears that the handset manufacturer software’s debug capabilities remained 'switched on' in devices sold to consumer."

This has been CIQ's assertion from the beginning.

At the same time, other researchers, including security researcher Dan Rosenberg reported supporting results, indicating that Carrier IQ was more benign than first thought. Rosenberg also assisted Carrier IQ in its new report.

Carrier IQ's latest document appears to be its own response to the request by Sen. Al Franken (D-Minn.), who last week asked wireless carriers and OEMs for information on how they are using the Carrier IQ data.

Carrier IQ did find a bug in its software, and admitted as such (it's software after all; there are always bugs). The bug unintentionally allows the CIQ's IQ Agent software to receive an SMS message during a call or when there is a "simultaneous data session." However, the message is encoded and "not human readable."

As for why the software is not "opt in," as many would like, CIQ said that it could be ... it's designed to be opt-in or -out. CIQ said that the carriers are the ones who define that, and of course, it's always been opt-out.

The document goes into great deal on Carrier IQ's software, so much so that most consumers will get lost. Is it enough? There's a lot of finger-pointing at the carriers and OEMs in the document, and in CIQ's statements, as well.

Basically, it's "the carriers and OEMs" who decide what gets logged; if you're upset, go talk to them. The big problem for CIQ might be if that does happen.

Suppose many consumers tell their carriers they don't want CIQ on their handsets. If enough of them do, the carriers may drop CIQ, completely, and use some different technology, one which hasn't been "exposed" yet.

For one, Verizon has said it doesn't use CIQ, and all the testing we've done on Verizon Android handsets supports that. If Verizon doesn't need CIQ, why should the rest?