Sunday, February 11, 2018

Netflix don't know their own security processes

On the 9th February, unbeknownst to me, my wife accidentally typed in the wrong password several times into Netflix.

I then got an email from Netflix:

Password reset required 
Dear CHRISTOPHER, 
We’ve detected a suspicious sign-in to your Netflix account. Just to be safe we've reset your password and you’ll need to set a new one. 
SET A NEW PASSWORD
Use the button above or type www.netflix.com into your browser, click on “sign in”, and then click “forgot your email or password.” Follow the instructions to set a new password. 
If you have any questions we are here to help. Visit the Help Center for more info or contact us. 
–The Netflix Team

I spoke to 4 seperate people, and they all say that this is a "phishing email" as there is no way that Netflix can ever reset the password from their end - apparently only customers can initiate password resets.

I got pretty annoyed as I take security fairly seriously, and if someone had compromised my account, I'd like to know more about it. So I test what I'm being told by Customer Service, and find the following link:

https://help.netflix.com/en/node/56461

This reads:

We will occasionally email our members encouraging them to change their account passwords as a precautionary measure. These emails are usually sent in response to username and password breaches at other companies, phishing schemes, observed suspicious account behavior, or malware attacks.
In these instances, we will notify you that we have reset your password; however, some of the devices you own may stay signed in for your convenience. You will have the option to automatically sign out of all devices when you set up a new password. If you used the same password for any other online sites, we recommend that you also change your password for those accounts.

So the last guy I speak to talks over the top of me, and says "you just don't get it". So I ask for a supervisor. I wait for 40 minutes (I'm quite a determined guy) and whilst I'm waiting I go online. The following is the chat transcript

tl;dr basically "Jason" tells me that they never initiate password resets and that I'm looking at a phishing email (which I'm not, and I prove by sending him the message headers), that I'm reading the Netflix article "out of context" (???), and he will ask to have it updated.

Your issue is: rude and inaccurate customer service
You are now chatting with: Jason
You

hi Jason
Netflix Jason
Hi! :)
Netflix Jason
I'm sorry to hear that.
You
I'm on the phone right now
Netflix Jason
On behalf of Netflix please forgive us for that experience.
You
four customer service reps have now told me it is impossible for me to get an email saying due to suspicious activity Netflix reset my password
You
one of them was a supervisor
Netflix Jason
I just hope a resolution was provided for the concern you're calling about.
You
who just talked over the top of me, didn't know what he was talking about and accused me "you just don't get it"
You
no, I'm still on the line!
You
what, precisely, don't I get?
You
they insisted it must have come from "hackers" or someone hit the reset password link
You
and it didn't
You
is this the sort of customer service Netflix gives?
You
that's literally four reps who don't believe Netflix can change my password
You
https://help.netflix.com/en/node/56461
Netflix Jason
Can you tell me exactly what happened?
You
I even got the last guy to read it, and he STILL didn't believe this could happen
Netflix Jason
Actually we can't.
Netflix Jason
We don't have access.
You
actually, you can't but Netflix can
Netflix Jason
We can only send you a reset link.
You
the email is "Dear CHRISTOPHER,
We’ve detected a suspicious sign-in to your Netflix account. Just to be safe we've reset your password and you’ll need to set a new one."
You
so yes, Netflix can and will reset passwords
Netflix Jason
We don't even have your passwords in our system.
You
it even says so on your site:
Netflix Jason
We don't keep records of passwords.
You
In these instances, we will notify you that we have reset your password; however, some of the devices you own may stay signed in for your convenience. You will have the option to automatically sign out of all devices when you set up a new password. If you used the same password for any other online sites, we recommend that you also change your password for those accounts.
You
https://help.netflix.com/en/node/56461
Netflix Jason
That notification is totally taken out of context.
You
then why did Netflix send me an email telling me you had reset my password?
You
and sure enough, my password was reset
Netflix Jason
The customer will have to initiate the password change.
You
wrong
You
no, read that article on the Netflix website again!
Netflix Jason
Then the system or representative will send a link to your email so that you can change the password.
You
it says "In these instances, we will notify you that we have reset your password"
You
in other words, Netflix resets the password
Netflix Jason
We can't really.
You
can you explain how your own website says that?
You
yeah, then why does your own website say that Netflix can reset my password?
You
https://help.netflix.com/en/node/56461
You
have you read this?
Netflix Jason
Again it's been taken out of context.
You
how?
You
I got an email that my password has been reset
Netflix Jason
If you want I will provide feed back for you so that it can be revised.
You
and indeed, my password had been reset
You
it doesn't need to be revised!
You
that's what actually happened!
You
why did I get that email then?
Netflix Jason
Look, you made contact. You need assistance. I'm telling you how it works.
Netflix Jason
Then let's figure it out.
You
OK, if you are telling me how it works, then can you explain the email I received?
Netflix Jason
Have you lost access to your Netflix?
You
the email says:
You
"Password reset required
Dear CHRISTOPHER,
We’ve detected a suspicious sign-in to your Netflix account. Just to be safe we've reset your password and you’ll need to set a new one.
SET A NEW PASSWORD
Use the button above or type www.netflix.com into your browser, click on “sign in”, and then click “forgot your email or password.” Follow the instructions to set a new password.
If you have any questions we are here to help. Visit the Help Center for more info or contact us.
–The Netflix Team"
You
how is that "out of context"?
Netflix Jason
Ok this is clearly a phishing email.
Netflix Jason
We do not send anything like that.
Netflix Jason
Test your account.
Netflix Jason
SIGN OUT then SIGN IN. See if you have lost access.
You
nope, mail headers show it's from Netflix
You
Delivered-To: <my email address>
Received: by 10.74.131.83 with SMTP id q19csp1869842oog;
Thu, 8 Feb 2018 13:11:40 -0800 (PST)
X-Google-Smtp-Source: AH8x227dnJIPEgqm2ezeY/9ZE3fAMeUmiYW42h0V/T2YOyFJMEzfnNE2+rIv9y58XO4qxaPrB4wd
X-Received: by 10.55.214.65 with SMTP id t62mr536593qki.351.1518124300356;
Thu, 08 Feb 2018 13:11:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518124300; cv=none;
d=google.com; s=arc-20160816;
b=xvZttTVW9UR+sy6tboHlwcnWhwgPIkCwg/pzu7Jku2nT0cVkX4OVqXHNAXbY79Ld1y
6xDIePeWfKnVHid+uT2ww8VPi1M4zzVleb8ofeyIcWRN3c8ySScC77jejsAUX4NbYDTK
BUi4c+fHTkTvIgixnLNTHZE3S4jeyrdFsJsxX/gadhzvf4Pt1p72HIngPAh/iwB056rZ
F2a+2pNzfRbe0XWy78rcs1x/jvjqGnRKz4CHg3blVgBkgPi8ocKh/8F+7futS2QLsdYi
C2HuvUfXoE6hw3GJLfWAP/ltJini861Xv/Wdf0IDsqC17bPbb6UXDXZCd89EpyuvvFV8
UjbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=feedback-id:list-unsubscribe:precedence:mime-version:subject
:message-id:to:sender:from:date:dkim-signature:dkim-signature
:arc-authentication-results;
bh=oOAy3CiUxh+PbdPyEubLiydYu/fgIyh2XEBmyx49D7A=;
b=TCbuJ7coONxCi5puG0qI7B7SGcR9FywSxGm5b03YqPJ7WppaTQNTT/VOu89q/FYqcu
/8mr50OFwA2B1p9mzlJiAJvc1H44bs40RGqykoLb4wH/rTuQXl6YQLArlU5pNkuclK1v
6aCCH/Zn8Cthpf4MaR4k8wLuz18NX8gwfSaOvm6NS8sRcDvfyNEZwWDD4wfvA8ui7xbZ
o7N2OQEeu50VH9e0KE9AP+/iYVndI0pb3o+GnPGgnB7kHoNoiy95qw4Y8r0P4BrSeF7o
7Lgh0DBB9RsIbh/vJgkw4t966fqn4C5JfsVmrzHTpVIusgzESqUHVNr9r2tr0K82lFAT
Xf2A==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@netflix.com header.s=wsh2ycm5iultkbdysii4ijqi22uurzvv header.b=Ju48Kj89;
dkim=pass [non-Netflix link blocked]header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=avCLQKcv;
spf=pass (google.com: domain of 010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com designates 54.240.14.187 as permitted sender) smtp.mailfrom=010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=netflix.com
Return-Path: <010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com>
Received: from [non-Netflix link blocked] [non-Netflix link blocked] [54.240.14.187])
by [non-Netflix link blocked] with ESMTPS id r6si57474qkb.470.2018.02.08.13.11.39
for
(version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Thu, 08 Feb 2018 13:11:40 -0800 (PST)
Received-SPF: pass (google.com: domain of 010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com designates 54.240.14.187 as permitted sender) client-ip=54.240.14.187;
Authentication-Results: mx.google.com;
dkim=pass header.i=@netflix.com header.s=wsh2ycm5iultkbdysii4ijqi22uurzvv header.b=Ju48Kj89;
dkim=pass [non-Netflix link blocked]header.s=224i4yxa5dv7c2xz3womw6peuasteono header.b=avCLQKcv;
spf=pass (google.com: domain of 010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com designates 54.240.14.187 as permitted sender) smtp.mailfrom=010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@mailer.netflix.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=netflix.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=wsh2ycm5iultkbdysii4ijqi22uurzvv; d=netflix.com; t=1518124299;
i=@mailer.netflix.com;
h=Date:From:Sender:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe;
bh=rlAIU4r//XJoOnUVbGdtJyKyUSgzLS4h9fyRpIYRwDM=;
b=Ju48Kj89riXzwTCY5qLR2VOna/nF3YRgMbFfoTZBHuwohzdT4A0GnPqbKPCx7S8d
mVmLmB/SDY7JbBaOa77Zi4P6BF7m/J9a4viHA2J0jYKaI+P0S3pe15ArXAAU0uAEsux
l711QyDjDiEwiIDhKc4kFgf50L1DiXmtk/t/VyaI=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1518124299;
h=Date:From:Sender:To:Message-ID:Subject:MIME-Version:Content-Type:List-Unsubscribe:Feedback-ID;
bh=rlAIU4r//XJoOnUVbGdtJyKyUSgzLS4h9fyRpIYRwDM=;
b=avCLQKcv9FVTs3xlGcfVJ4f88Nta3VGcn6ToUEDzfW9qpkcWpsAtD73vpIA8DoYZ
Dr8qab2YVZORQGiyVv9isM6U5mGDra0mgWxxBgWS/hZreVsUrCCTOS2uVdgS3Q+j8s0
0MjI648Nhsnr6tBhEcoNdDMK5hS2LO1bGCgSzwyE=
Date: Thu, 8 Feb 2018 21:11:39 +0000
From: Netflix
Sender: Netflix
To: <my email address>
Message-ID: <010001617742739c-0daddaa6-5755-4638-ba13-3efbdad23cf8-000000@email.amazonses.com>
Subject: Netflix password reset required
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_132692_67010129.1518124299164"
X-To: <my email address>
Precedence: bulk
X-AppInfo: Netflix Mercury s.54d3d7d.2535
X-ProcEnc: BQAtAAEBEPvcm7MGMcMv7UifU3LjkkEQd/J3ASn5wkGSWcFnHH2ZTQ==
X-MailingID: mercury::LR::12699::50E29A9468B8D6EDBCE02367FACF7DCD64529BF0::<1617742739C@netflix.com>
X-GroupId: 4
X-localeCountry: en::AU
X-ProcInfo: TREADST
Netflix Jason
You can't possibly trust that.
Netflix Jason
You've already spoken to several Netflix experts.
You
yeah, I can actually, Gmail passed this
You
you have DKIM and SPF setup
You
that's definitely from you
Netflix Jason
Why would we ask you to reset the password?
You
how do I escalate this?
Netflix Jason
Forward it to phishing@netflix.com
You
I've been on this phone call for 35 minutes now
Netflix Jason
They were providing you the correct info.
Netflix Jason
Someone is trying to take over your account.
Netflix Jason
Trapping you to reset your password.
Netflix Jason
That is clearly not our process.
You
how do I get a technical person who knows what they are talking about?
Netflix Jason
You're chatting with one.
Netflix Jason
You've spoken to others as well.
You
so to be clear, you have an article that says that security emails will be sent out that passwords are reset
You
I've given you the headers, which show that it's come from your network
You
there is no way to spoof those headers
Netflix Jason
Those are notifications once you have reset the password.
You
do you know what DKIM actually is?
You
no, it's not!
Netflix Jason
Can you answer this question for me.
You
it's a notification that Netflix reset that password
You
sure
Netflix Jason
Have you tried to SIGN OUT then SIGN IN?
You
I reset the password!
You
from Netflix's site!
Netflix Jason
Did you get an error message that your password is wrong?
You
the old password no longer worked!
You
yes!
You
no, that the username and password WAS wrong
You
it had indeed been reset
Netflix Jason
Then it's correct someone took over your account.
Netflix Jason
You can see it.
You
and then they sent me an email that they had detected suspicious activity
Netflix Jason
You'll be able to see RECENT ACCOUNT ACCESS.
Netflix Jason
You'll see the IP ADDRESS, LOCATION, DEVICE. Date and TIME.
Netflix Jason
Did you check that out?
Netflix Jason
I see that you're already speaking to someone on the phone, do you still need me on this line?
You
they are literally contradicting you right now
Netflix Jason
Ok.
Netflix Jason
Anything else that I can do for you today? :)
You
someone will be having a word with you soon
Netflix Jason
That's alright.
Netflix Jason
By the way I sent you a link to our Help Center just for your reference. It's like our own version of Google where you can just type keywords of your inquiries or even error codes and it will show you exactly what needs to be done!
Netflix Jason
Oh, for future reference please check this link. Please
Click Here . Just a VERY important tip to save your time in the future, As long as you see that the servers are up on that link that means that the issue can be resolved by calling either your Internet service provider or you device manufacturer. I just want to make sure that you're fully equipped after this chat and I want to be able to still help out i:)
Netflix Jason
and if you want to check on updates to our NEW movie releases and feature updates please follow us on FACEBOOK or TWITTER. You can also chat with us real time on those sites. :)
Netflix Jason
It's been a pleasure chatting with you, have a good one! CHEERS! :)

Tuesday, January 3, 2017

Comprehensive logging in Windows Update in Windows 7

If you want to turn on verbose logging for Windows Update and the Microsoft Installer, then you could follow KB 2545723 - How to Enable Microsoft Installer logging and Verbose logging to gather additional troubleshooting Information... or if you are masochistic enough then you can copy the following into a .reg file, then open this to import it into your registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace]
"Level"=dword:00000004
"Flags"=dword:00000007

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Agent]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\ARP]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AU]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\AUClnt]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CDM]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CltUI]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Cmpress]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\COMAPI]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\CPL]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DnldMgr]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Driver]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\DtaStor]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\EEHndlr]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Handler]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Inv]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Misc]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\OfflSnc]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Parser]
"Level"=dword:00000004
"Flags"=dword:000000ff

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Perf,]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\PT]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Report]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Services]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Setup]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Shutdwn]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\Trace]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestMain]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\TraceTestThreads]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WUApp]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WuRedir]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace\WUWeb]
"Flags"=dword:000000ff
"Level"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
"Logging"="voicewarmupx" 
"Debug"=dword:00000007

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace]
"Flags"=dword:00000016
"Level"=dword:00000004

Every 200MB or so, it truncates the file and starts again, so you will also need to open Powershell and run the following:

Get-Content -Path "C:\Windows\WindowsUpdate.log" -Wait > "C:\output\giganticlogfile.log"