My Netflix Account was Hacked … Again

Someone Hijacked My Netflix Account

Several someones, perhaps. They had the gall to upgrade my account from 2 to 4 screens. They also renamed two of my “Who’s Watching” profiles to “Hide” and “hide”. Still not sure what that accomplishes.

This was surprising for a few reasons:

  • Only my wife and I have access to the password for Netflix.
  • I use very strong, random passwords generated by my favorite secure password manager, LastPass.
  • My LastPass account is secured by a very strong password and 2-factor authentication.
  • Any password recovery attempts would send an email to my Gmail account, which requires a strong password and is also protected by 2-factor auth.
  • Three days ago, I received a warning from Netflix because they noted suspicious activity. They told me they reset my password. I then logged in and and changed it myself, again using a strong password generated by LastPass.

Yet yesterday, I received an email from Netflix that my account was upgraded without my intervention.

How To Check If Your Netflix is Hacked

I spent a good 20 minutes batting questions back and forth with Netflix customer service over chat.

We took a look at the My Activity page. You might want to do the same. It shows everything you’ve been watching. If you see anything unusual in there, click the link at the top named See recent account access.

The Recent Account Access page shows you every IP address and country that’s accessing your account.

I had entries from Germany, Italy, and all over the US.

2016-11-19-16_38_04-netflix

What To Do If Your Netflix is Hacked

Netflix customer support told me to change my password, yet again. I changed my password to a 60-character random value, the maximum allowed.

They also told me to go into My Account > Settings and click on Sign out of all devices.

They assured me that this would solve the problem.

It’s been 2 days, and there’s been no further access.

How Do I Think My Netflix Got Hacked?

I don’t know for sure, there are many possibilities.

My home network could be infiltrated. Hoping it’s not that.

I didn’t always use different, strong passwords for every single service. Years ago, when I signed up for Netflix, I used a pattern where I’d use a non-dictionary word or phrase, and suffix it with the service name. So perhaps it’d be something like “gr8tstuff@netflix”.

I’m guessing my email and a variation of this password showed up in a data breach somewhere. Let’s say it was the Yahoo! breach, which recently leaked 500 million accounts and passwords.

If my account at Yahoo was protected by a password like “gr8tstuff@yahoo”, then a clever hacker would see that I’m following the pattern of a known string followed by the service name. They could easily guess that I might also have a Facebook account protected by “gr8stuff@facebook” and a Netflix account with “gr8tstuff@netflix”.

Or perhaps Netflix was hacked a while back, and my old password was used by many individuals until I changed it recently.

In any case, just changing my password wasn’t enough to kick out the interlopers using my old Netflix password. Their devices still had access.

How To Log Into Netflix on Roku with a Really Long Password

I’d rather sled bare-back on a giant cheese grater than type 60 random characters into a Roku with a remote control. Let alone 3 Rokus.

Roku has Android and iOS apps, and they support typing (and copy-pasting) using your smartphone or tablet keyboard. This is a life-saver.

Here’s the official Roku app in the Google Play Store. Here’s the official Roku app in the iTunes App Store. The iOS app is hard to find using an iPad. You have to change your filter from “iPad Only” apps to “iPhone Only” apps.

Once you have the app talking to your Rokus:

  • Navigate to the Netflix login screen on the Roku. Enter your email.
  • Open the Roku app on your phone or tablet and select the Roku device you want to control. Click the Remote button to open the virtual remote control.
  • In the Roku app, tap the keyboard icon near the bottom. This should open a text box and show the virtual keyboard.
  • Switch to your password manager and highlight/copy your password.
  • Switch back to the Roku app.
  • Paste the password into the text field in the Roku app. Watch all the characters get typed into the Roku.
  • Realize that pasting 60 characters in a row doesn’t work reliably and login is failing.
  • Divide your password up into 6 groups of 10 characters.
  • Flip back and forth between apps pasting 10 characters at a time.
  • Keep doing this until it works.
  • It’s still better than typing 60 random characters.

What Could Netflix Do Better?

  • Require re-authentication to change service levels.
  • Make sure old passwords don’t work for changing service levels.
  • Allow users to restrict viewing to known countries.

Is My Netflix Account Secure Now?

I don’t know. Time will tell.

Advertisements

Mute the microphone in GoToMeeting using a hotkey and AutoHotKey

My favorite Windows desktop automation utility is AutoHotKey. I use it to fix a variety of annoyances and add functions to applications that I wish the original authors had seen fit to add.

I like being able to mute my microphone quickly using a hotkey combination when using a voice chat app. We use GoToMeeting at work. GoToMeeting doesn’t seem to provide any hotkey capabilities for common operations like muting the microphone.

When in use, the Windows GoToMeeting client presents a control interface that contains common controls like mute/unmute, webcam and screen sharing. It looks like this:

GoToMeeting UI

I tried to use the WindowSpy utility that comes with AutoHotKey to get the window and control information for that microphone mute button. However, it doesn’t appear that the mute button is a gettable control.

So I’ll use AutoHotKey’s ControlClick command to click the microphone mute button for me using X,Y coordinates relative to the window container.

Below is my AHK snippet, which I place within my general AutoHotKey.ini file. It maps Ctrl-Alt-X to click that button. Ctrl-Alt-X is a keyboard combo that I can strike one-handed, but which I won’t accidentally invoke otherwise. You can map it to whatever keyboard combination you like.

I admit the solution is brittle. If GoToMeeting changes their UI such that the coordinates of the mute button change, this will break.  They’ve done it before.

Then again, mapping AHK to window and control IDs isn’t exactly rock solid anyway, so these kinds of fixup scripts are always a little brittle.

Enjoy!

; Ctrl-Alt-x toggles mute in GoToMeeting
^!x::
; SetControlDelay is recommended by AHK to
; improve reliability by avoiding holding
; the mouse button down during the ControlClick.
SetControlDelay -1
; Specifying NA avoids marking the target
; window as active and avoids merging its
; input processing with that of the script, yada yada. RTFM.
ControlClick, X50 Y25, ahk_class G2WShareActionButtons,,,, NA
return

Don’t buy USB gadgets this holiday season

My wife just told me about someone in her company who bought USB-powered hand-warming gloves. I cringed.

I am insanely suspicious of all USB-powered devices. I won’t let them near my computer. Why?

BadUSB, that’s why.

There’s a fun new exploit loose in the world. Some smart folks have figured out that there’s a re-writable chip inside millions (billions?) of cheap, USB devices. The devices can be re-written to do … just about anything.

Ripping from yesterday’s headlines, here’s a reddit story regarding a system administrator who tracked down a data breach to a USB-powered e-cigarette charger.

Imagine a device that behaves like a USB thumb drive one minute, then when you walk away and the computer is idle, becomes a completely different device capable of rummaging around inside all your files?

Maybe the device causes the PC to reboot, and then boots off a hidden partition on the thumb drive in order to truly ransack your PC’s contents, sending the found data off to who-knows-where.

Maybe it infects your PC with a virus that encrypts every file on your computer and ransoms you for the decryption keys. Crazy? Not at all. It’s probably happening to someone right now.

For many years, extremely security-conscious companies have had their IT staff fill in USB ports with glue guns, or disable the USB devices entirely. They used to look like crazy tinfoil hat people. Not anymore.

Bottom line, be aware and be wary of USB drives handed to you. USB sticks have been a great way to share files in the past. But with this new exploit in the wild, you should no longer trust USBs of unknown origin.

It’s Not Dead Yet – Replacing an Auria EQ276W Power Supply

TL;DR – If you need a replacement power supply for the Auria EQ276W monitor:

  • The manufacturer, EQD, has apparently declared bankruptcy.
  • One reader purchased this replacement by Upbright, but hasn’t reported back as to how it worked out. From the description and reviews, it seems like a good choice.
  • A couple readers of this blog have found this T-Power power supply on Amazon. Be warned, however, that this model is rated for only 5A, which is less than the 6A factory power supply. Readers have reported it works. One reader received a defective unit, and T-Power demonstrated great support and replaced it with a working unit.
  • If you’re electronically inclined, you can purchase any properly rated power supply and solder the old power cable onto the appropriate leads. You’re looking for a 24 volt supply that can handle over 6 amps. Make sure the supply has adequate heat sinks or cooling to handle that much power. Here is one power supply a reader has successfully adapted.

On to the story…

In July 2012, I read Jeff Atwood’s post, The IPS LCD Revolution. Super-high-resolution 27″, no-name computer monitors from Korea for under $400? Yes, please!

The local Microcenter had just one EQD Auria EQ276W left, but it was “open-box”. Someone had returned it. I had them plug it in to prove it worked. I negotiated a bit extra off the already-reduced price, a return guarantee and a 1-year warranty from date of purchase, and took it home.

The monitor expired nine months after its warranty.

When I’d plug in the monitor, the green power supply light would light up, the monitor would come on for an instant, then go off. No amount of fiddling could keep the monitor powered up.

My suspicion was that the power supply was dead. It’s usually the power supply, and within the power supply, it’s usually the capacitors that fail (see my post, It’s Not Dead Yet – Fixing the Onkyo TX-SR606 HDMI board).

Here’s the power supply’s badge. Make/model is “Coming Data LP-2460”.

Image

The power supply puts out 24V at 6A through a 4-pin round connector. You can see the “pin-out” diagram above the “MADE IN CHINA” text. Two positive leads on the left, two negative on the right.

I tested the power supply with a multi-meter and it seemed to still be putting out 24V, but I know that under load, it probably wouldn’t be able to sustain the amps. If I’d had more time, I might have put together some kind of testing circuit to see if I could determine if the supply would fail under load. My discretionary time is limited, so I instead decided to throw money at the problem and get a new one.

I found a couple of sources online that wanted $70 for an exact replacement power supply. $70 is highway robbery for a monitor power supply, IMHO. So I took a flyer on this $30 one from Amazon.

I should not have bought the power supply without seeing a pin-out diagram. Turns out the replacement’s pins are wired differently. They’re off by 90-degrees, meaning the top two pins are positive and the bottom two are negative. That’s a non-starter, quite literally.

The new power supply was also quite a bit lighter than the old one, which is a red flag. It doesn’t contain as much metal to dissipate heat like the old power supply. This could mean even if I get it working, it could burn out or become a fire hazard in short order.

I sat on the problem for a couple weeks until I had some time off work.

I called EQD at their support number and a very helpful tech took my information and said he’d inquire to see if they could send me a replacement power supply out of warranty. So that’s now working in the background.

I decided to take apart the new power supply to see if I might be able to rewire it to correct the pin-out. Nope. There were just two leads in the connector wire, red and black, to feed all four pins. The red would forever be wired to the top two pins, and the black to the bottom two.

It occurred to me that I might be able to re-use the connector wire from the old power supply. I snipped the old connector wire off the old power supply and compared the wiring. Again, just two wires, red and black. But in the old wire, the top left pin didn’t appear to be connected to red. It wasn’t connected to anything I could discern. This was worrisome, as it might mean it was the wire itself that failed. But given the wire hasn’t had any significant stress since I bought the monitor, it seemed unlikely the wire would be faulty. More likely the monitor was pulling all 24V from a single pair of pins.

I soldered the old wire to the new power supply and put everything back together.

Lo and behold, the monitor powered up!

My victory was soured shortly after by several issues.

  1. The new power supply is HOT! Like, “can’t touch it”-hot. Not great, and not worth the fire hazard.
  2. The monitor now hums loudly, which it didn’t before. There’s noise being induced into the monitor. Even with the monitor’s volume set to zero, it hums.
  3. The monitor supports a maximum native resolution of 2560×1440 pixels, but only when connected to a source using DisplayPort or DVI-D Dual-Link connectors. The new laptop I just bought has neither of these kinds of connectors, only HDMI and VGA. So I can’t use the monitor to its fullest potential and instead I’m forced to use up-scaled 1920×1080. I’ve tried some tricks to set custom resolutions using the Intel HD Graphics 4400 configuration app, to no avail. Yuck.

So, an incomplete victory and a long way to go to get this monitor working again. I’ll put the monitor aside for now until either EQD comes through with an OEM replacement power supply, I find another 24V 6A well-designed power supply, or I decide to suck it up and buy an OEM replacement for $70.

Update: June 26, 2014

I ran with the new/modified power supply for a few hours today. It started emitting a toxic burning plastic smell, so I unplugged it. Next stop? The trash.

EQD called back yesterday to tell me they would sell me a new power supply. $45.00 plus $12.35 shipping. The new supply will be rated for 6.25 amps instead of 6.0, so it’s a bit beefier than the original power supply. I took the deal, as I can only find exact OEM replacements on eBay and elsewhere for over $70.

I (somehow) found this 113-page test report for the Coming Data LP line of power supplies. Could be useful if anyone else wants to take a swing at fixing their broken power supply.

Update: July 22, 2014

The replacement power supply arrived last week and the monitor is back in business! The power adapter runs relatively cool, and there’s no hum.

Additionally, I bought my way out of the predicament with my laptop not being able to drive the monitor to its full resolution with this StarTech USB 3.0 to DisplayPort external video card. Not the ideal solution, but as close as I could come without returning the laptop which I otherwise like.

Update: September 18, 2014 

A reader let me know that the (877) 375-1065 phone number for EQD is no longer working. I tried the number myself and confirmed it.

Update: October 2, 2014 

Great sleuthing by an anonymous commenter! The number to reach EQD directly is (949) 246-5270. Guess they got tired of paying the bills from the toll-free number with all of us dissatisfied owners calling.

Update: June 18, 2015

It appears EQD filed for bankruptcy on September 25, 2014. I guess there’s no profit in replacing burned out power supplies. QED, EQD.

Update: June 23, 2015

More praise coming in for the T-Power replacement. A reader received a defective power supply via Amazon, and T-Power replaced it with a working one.

Update: June 23, 2016

My own Auria is still chugging away happily on the replacement power supply I received from EQD before they filed bankruptcy. I’m writing on it right now.

Mysterious Microphone Problem Solved

All week people at work have been complaining that while on calls (Skype, Hangouts, etc), the volume of my voice would mysteriously dip. They’d say that they could still hear what I was saying, except it sounded much quieter than usual. It didn’t sound like the usual VOIP-ing out that occurs with bandwidth issues.

This seems to have started happening out of the blue. Or maybe finally people decided to start complaining to me about it. I was racking my brain to figure out what was happening.

It didn’t matter what app I used: Skype, Hangouts, TeamSpeak – they all suffered.
I changed headsets. Nothing.
I changed USB ports. Nothing.
I scoured all my audio settings. Found nothing.
I use wired Ethernet, so it’s not a Wi-Fi problem.
I didn’t think it was a network problem, but still, I rebooted my router and cable modem and fiddled with Quality of Service (QoS) settings. No dice.

During a Skype today, I brought up the Skype audio settings panel and witnessed the following. Watch the blue ball under Microphone — this indicates the microphone input gain. Even though I turned off "Automatically adjust microphone settings", it was moving around.

clicker

I determined that the dips were coinciding precisely with my pressing keys on the keyboard.

I then remembered a setting I’d seen in the Lenovo Settings app:

Lenovo Settings_2014-04-18_14-50-23

A-HA! Suppress keyboard noise!

I turned that switch off, and the problem disappeared.

I kinda remember turning that setting on, vaguely, forever ago. I assumed it would only be in effect if I was using the built-in microphone on the laptop. In that case, it’d be useful to suppress the thudding of my typing inches away from the built-in laptop microphone. I never imagined it would also be in effect while using a headset.

INFURIATING!

A Close Call with Verizon Wireless (a story of fraud)

This afternoon I received an unexpected call from Verizon Wireless, my cell phone carrier. A customer service rep was calling to ask me if I had requested a change in billing address on my account. I had not. She informed me that someone in possession of the last 4 digits of my Social Security Number had attempted to change the details of my account. She said that when she pressed the scammer for more identity verification, the scammer hung up. She then called me.

Great, someone out there knows some things about me, like my name, perhaps my Verizon Wireless phone numbers or account numbers, and at least the last 4 digits of my SSN. Frankly, I’m not terribly surprised. Every day there’s a new story about some web site that let itself get hacked and lost all their users’ personal data.

The Verizon rep and I danced a bit as I attempted to discern whether this call itself was a scam. I’m suspicious by nature and consider myself fairly information security-savvy. So when the rep asked me to provide her with the last 4 digits of my SSN, I got cagey. We eventually compromised by agreeing that if I could log into my Verizon account (which I could) and change a certain field, she should be able to tell me what I changed. We did that, and I was satisfied I was actually talking to someone at Verizon. (I also Googled the caller ID number while we were speaking, but caller ID can be faked).

The rep had me set a billing password on my account which would henceforth be used as an identity check instead of my SSN.

My rep paused and said, “Uh oh.” Apparently the scammer was at it again, with a different rep. My rep noticed that the name and billing address had been changed on my account, while we both sat there and watched it happen.

The rep apologized and put me on hold while she IMed and then called the other rep. The other rep was not following the procedure for verifying the customer’s identity. Had the scammer gotten that rep earlier, it could have cost me dearly.

I had to wonder whether my setting of the billing password had taken effect before or after the second rep let the scammer through.

My rep reached the other rep, and they dumped the caller. My rep also sent a message to other rep’s supervisor.

“This guy has apparently been at this all day,” she said. The scammer had been calling rep after rep, trying to find a chink in the armor, a rep who wouldn’t properly verify the customer’s identity. There were notes in my account log attesting to this.

My rep had me reset my billing name and address. She said they’d report the incident to the fraud division. No clue what could happen next there.

I asked my rep what the angle here was. “What we usually see is that they change the address, then order a bunch of stuff to be delivered to the new address.”

Crazy.

So I have a first and last name (probably fake) and New York City street address and apartment number of somebody who was attempting to defraud me.

I tried the NYPD first, but they told me I had to go through my local police. So I filed a local police report, got a case number. Tomorrow I’ll see I can raise the interest of the NYPD.

What else might this guy try to hijack? I’ll be checking all my bank and credit card accounts to make sure I’ve got all possible security controls in place. Since my SSN may have been compromised, I submitted for an automated 90-day fraud alert with Equifax/Experian/Transunion.

Kudos to this one rep at Verizon for following procedure and contacting me. But shame on Verizon for (1) letting this guy try this all day long to subvert the system and (2) hiring the rep that actually changed my account information without rigorous validation of my identity.

It’s Not Dead Yet – Fixing the Onkyo TX-SR606 HDMI board

In July 2007, I was in the market for a surround-sound receiver with HDMI support. My research led me to purchase Onkyo receiver, model TX-SR605, from the now-defunct Circuit City. I was very happy with the receiver until 9 months later when it decided that of the two possible operational states, “off” and “on”, it preferred “off” 100% of the time.

It was still under warranty. Circuit City had me bring it to a nearby Onkyo-certified repair center. And there it sat for two months awaiting a part, “Micro Q701”, which never came.

I called Onkyo and raised a storm, and they somehow miraculously found and shipped the part overnight. But it didn’t fix the problem.

After considerable badgering, Onkyo swapped out the 605 with the next model up, the TX-SR606. The TX-SR606 has worked well for the past five years.

This month, we purchased our first Blu-Ray player. While playing our very first Blu-Ray, the receiver would frequently drop the HDMI signal and black out. No Signal, no good.

Apparently the TX-SR606 is notorious for its shoddy HDMI switching board. The internet is full of complaints and some DIY instructions for attempting repairs.  The following sites were very helpful:

As with so many consumer electronics failures, bad capacitors are to blame.

I researched which capacitors to purchase and settled on this item at DigiKey. I needed 5 but bought 10 just in case. The total order was $4.85 and the shipping cost more than the parts.

The parts arrived yesterday, and last night I worked on the receiver.

Of all the repairs I’ve attempted, this was on the easy side. The receiver’s case was easy to remove. The HDMI board was right on top and easily accessible. I was thankful for the tips I’d read regarding disconnecting the ribbon cables without damaging them by pushing down on the white connector.

The work took just about two hours from start to finish. Here are pictures of the modified board with the new capacitors highlighted (click to enlarge).

DSC_0019

DSC_0020

I tested the Onkyo after re-assembly, and the fix seems to have worked. I successfully played 15 minutes of a Blu-Ray without any dropouts.

There remains a weird problem whereby occasionally, when switching HDMI channels, the screen takes on a purple hue.

As a work around, switching back and forth, or going into the receiver’s Options menu and back, seems to clear it up. I’ll have to research this problem separately.