Don't Worry Delete Accounts - Michael West

the next grade talk is Michael Westen I'll let him take it from here thanks all right thanks guys good morning today we're gonna talk about tool I built called century and this whole thing's kind of themed around the Stanley Kubrick film dr. Strangelove or I learned to stop worrying and drop the bomb and you'll kind of see why it's a little bit of that kind of imminent nuclear threat and what we're gonna do about it so real quick intro slide I'm from Dallas Texas representing Cossack association DHA I worked at a little tiny startup nobody's heard of called cyber-ark I've done like ITA added software dev and then kind of moved in InfoSec or the past like six years so

I've kind of done everything and there's some available keywords because like stuff I'm interested in you say well is word so I'll probably perk up and I guess that's proof I'm not a vampire that I didn't get my pictures taken moving on does anyone remember this yes it's been a little while I know 2016 was a while ago we were so innocent back then but this is a gift that Trump tweeted are those 2017 my 16 was the election but we did this gift and this was right in the middle of the the whole media thing who the trust do we you know Trump is like going on about the media and ragging on about them saying thank

news all that stuff was really at the height right then and he tweeted that CNN wasn't very happy because it shows them being beat up nobody really knows where he got this gift or how he got this gift but we do know is who created it there was a reddit user who just creates you know all sorts of gifts I guess you could almost call it [ __ ] posting just on reddit and just posting gifts and doing this thing and we don't know how it got from him to trump but the trail led back to him that users name was Han [ __ ] solo and I love that they blanked out the ass in there

but CNN found him found his original post and then they started to dachshund using details left over on the the UH on his just biographical information he didn't post his name or anything they just found it out data and so what they did to him is they kind of said oh you better apologize or we're gonna publish information all over you no he didn't send it to trump he just made his own gif on his own personal reddit page and so they basically forced him to write an apology about differing accounts but that's kind of how it looks from the outside and so we post an apology and said you know I won't make gifts anymore and so

how'd they find it they said biographical data left on his reddit page people become what I call incidentally viral every day here we have Sarah Connor who just journalist who'd start talking about robots killing workers at give you plants I think I see the reference there it was just you know a journalist who talks about like labor issues in Germany I believe and then she posted that and now she has like ten thousand retweets and lots people talking about her you know just from something relatively silly like a name conflict with the Terminator series and Ken bone from 2016 now I can say we were so into sent back then Ken bone you know he's that lovable guy he was on the

debates you know he's got the bright red sweater and after he kind of got some notoriety for being this kind of innocent guy who just had a really you know cute couple TV moments he didn't AMA and read it he used his reddit account that he normally uses to look up and that porn I believe was MPEG porn Google it just not here if you don't know it is so and this is not just limited to like people who show up in the news this happens to InfoSec researchers too you guys know Marcus Hutchins known also known as malware tech blog on Twitter or just malware tech he helps stop the wanna cry virus by noticing there was bug in the

code check for a domain it was supposed to change every time but only checked once but only change it only did one domain you registered the domain and now when you want to cry viruses that have the internet sex access were stopped and he got put up in the news you know named as a hero but he worked like anonymous he pursued anonymously from the UK well he came to Def Con last year I did the DEF CON thing you know go out and party last day goes to leave that the I stopped some arrests and now he's still stuck in the u.s. under charges saying he wrote some breaking malware and the reason this comes up is because while he

was in Vegas he did the normal thing he posts on social media about what he's doing you know you rents a car supercars not really a big deal there it costs like five nerve bucks he went to a shooting range lots of people in the photo shooting but not like any crazy things these are the kind of things you do in Vegas on your vacation I think that was his first time out of the country actually and so what happens in Vegas can be publicized after your arrest he was arrested and there's a whole bunch of news that he can't control cuz he's in jail and they're showing they're kind of taking up all this dirt about these things that he's

done Vegas you know he's spending big like he's some big criminal but I think most of us know that's probably not the case so I always wondered like what if this happens to me this is kind of thing that keeps me up at night I don't have a great risk stance like I use social media pretty heavily oh that's old profile picture isn't it and I you know it's got my real name up there I use the same username and everything I'm kind of not trying to be hidden but I've always wondered what happens if something like this happens here's a good example it's really simple Michael West in st. Louis like 45 years old probably wouldn't use

them for me but went and tipped the student and was still working at the school like six months later after being charged great stuff but I've always wondered what that happens in Dallas to maybe like twenty five year old or something I mean there's several Michael West's and Dallas already what if there's any kind of name confusion or simply looking after me if you guys remember the Boston bombing thing with Reddit and kind of the witch hunt they did that kind of stuff makes me wonder what happens whatever happens to me and so there's only really been three solutions that people have told me it's it's always been coming down to don't post anything just censor yourself

there don't post anything that is public or don't post anything that could even come back to bite you and if you do have to do that kind of stuff compartmentalize it you know your pornhub account should probably be a different username than your regular account that kind of stuff if you do that the second option has always been I just avoid social media or use it in a different way than its intended so use a student keep everything anonymous the that doesn't really seem like great to me because you're losing the value of social media join the conversation and being part of community which is pretty big InfoSec InfoSec on twitter for example and then the third option i

think most of us do is Niall ism which is just you know that's not gonna happen me I should be fine right right so I come up with this idea of something different so we make this program called century that watches for certain criteria so this could be something you post you know just a coded message or something your friend can post to it could be something like if you have over a thousand retweets lock your account you know just in case you're getting someone wanted attention or you know run your own scripts run your own detections and then just call to this whenever you want to actually do something and it can trigger cascade of actions so one thing

can do another thing which cause another thing or you can have one detection instead of something else really the goal here is to either lock down your accounts wipe them or delete them and I got to go with the gay furry account is a good example of this now I don't really care about the furry fandom but I know a lot of people there who are pseudo anonymous they don't use their real name and the furry community because they don't want to be attached to their real identity you know there could be someone who's like a senator who goes and does it on their own spare time that's cool but what if there was ever a connection leaked and they need

to go and quickly delete that account and I've always the snare has always been what if you were in the cop car being taken five minutes to station you'd have your phone for that five minutes what are you gonna do in that time if you have a Python script in your laptop that's probably not gonna help you unless you a really good setup and this is kind of thing that you can trigger just by tweeting a phrase you can memorize so the [ __ ] T of all this is written in C sharp with net core which runs on Windows Mac and Linux I've tested one of the Linux could use some Mac reports everything is configured via simple JSON

config I say simple its straightforward you can also call from those scripts we're using selenium to actually automate the webpages so by clocking plugging into twitter.com and locking your account and then for API is restr and there's an example of what one trigger criteria looks like that says when I tweet a wing attack plan are it'll check my public twitter then it'll lock my public twitter and it'll scorch which means delete all the posts and delete my sinful twitter the Jennifer account this is what the services look like so that last one said public Twitter this is another example that this is an account will be deleting today called delete me senpai simple username password now there is a problem

where you have this JSON file with all these names and passwords and all the goods authentication details and your OAuth stuff so cyber code a little program called conjure it's open-source I just use the open source version there's an tur price thing but it lets us take the secrets out of the config file and call them from a REST API you don't have to use that but it's available they can also support other secret servers as well make see right there conjure eval is the name of it and so let's give it a quick demo all right so first we'll open up our config file right here and you can see I think I should have the best lesson yeah well

I'll change that key as you can see here the only thing that's actually public is that one key there at the bottom everything else here uses contra Val so everything is just pulled from that contra database again you could just delete the contra Val here and just use that but it's a lot of user present if you have to share keys and so right here's our first criteria at b-sides PGH need more snacks and track black do you guys agree here we've got some other ones here retweets over 10,000 favorites over a thousand I don't think we'll hit those numbers today so that's fine we'll go with the tweet one and it's just gonna simply check my main Twitter

account over the API and so I'll skip down here before we define that you've got the API right here used to order API I've got the OAuth junk that's super verbose and here's what's gonna post and so back up to our service config we say we're gonna post that one message on the main Twitter account and then a second Twitter account we're gonna lock it so I'll pull up that Twitter connect here here's the main one with cyber Wario and here's that account that we're gonna lock I see right here actually it gets every post time that's posted bleeded I have to go post something else so that's today's message it's called uber kitten Tom so what we'll do is we're gonna

start up sentry now a lot of stuffs gonna happen really quick cuz it's all load in one big config file but I'll explain it as it goes and normally when you run in like production mode everything's headless but to show it an example of it it will show the chrome shows as it goes through so first it's gonna load the services and it's gonna start verifying them here at star Liam processes with Google Chrome and starts up to because we've got two web accounts and then you can ignore most of stuff at the top that's chrome junk here we're verifying all the services so it verifies the API make sure it can work next it's gonna verify the web Twitter

accounts it's gonna make sure it can log in on selenium there's no point in trying to actually do something if you can have the wrong password then so it's gonna go through that it's gonna check after it logs in okey doke and so it should say verified it worked in Tom Web as soon as it finishes loading there we go and now it's gonna do the same thing for that segment kinda mentioned delete me senpai which actually got deleted because Twitter will delete if you don't if you go to deactivate your account if you don't do it within 30 days footer will actually delete it so I figured that our last nighttime why isn't this

Cal can't I log in oh yeah I deleted it both of those are backup and oh one more thing we can also change IP addresses or CloudFlare dns registries so you can have your site YouGov temporary Oh temporarily offline anyways the first one we're gonna do is ask for more snacks so I'm gonna go and copy that and again it's checking my main Twitter account that's actually gonna run the actions on this Twitter account to lock it will do that and it's checking every 15 seconds I believe so it shouldn't take too long for it to pick up that change it's gonna go and lock that other account and it's gonna post on my main

account so we got trigger detected I'm gonna watch this just so you can see it it's going to go to the profile page check the box and then type in your password and again in normal headless mode you wouldn't see this but it's a lot easier to demonstrate okay so that accounts locked and we posted the Twitter status let's go look at it I'll do tweeting replies there it is something like guys need to get the code just go look at the replies to East Side's BGH okay so that's the first one next we're gonna look at another Twitter another trigger and this one's actually going to delete the other account and scorch one of the other accounts so

where's that one at right here wing attack plan are is from dr. Strangelove's it's man they gave to go and launch the nukes and no we're calling it back so it'll do here is it's gonna check against can check my main Twitter account over the API for this string a chopped copy now and then what it's going to do is it's going to go to this this account that we just locked which will see once i refresh it locked and it's gonna do scorch and I call scorched that way to differentiate from delete scorch means delete all your posts for example services like reddit if you delete your account your posts still stick around unless you go and edit them and clear

them and then on this third account that we haven't seen yet delete you senpai it's actually gonna go and delete or deactivate the account is that kind right now you can see it's called uber kitten sinful account that's where I pro post all my my very unsavory things so we should be set to go and delete that account so now just gonna wait this and then this is the kind of scenario I was thinking you're in the back of police car you don't have a lot of time you can type this phrase that you've memorized and turner everything from there or if you trust someone you could say go check their Twitter feed for when they post

this and then you can have them do it so we'll tweet that and we'll watch and this is all stuff from before just the things that was doing so we'll wait that 15 seconds so for that to pull up there it is so this one's using the API delete any tweets on the rubric and calm account and this which we just barely caught is actually deleting elite me senpai account once it loads there we go so now this account right here that ironically we can't see the tweets so I'm gonna pull it up over here we used to have a gif on that account but now wants me to send my first tweet and on this delete me senpai account

fresh it's gone now I would recommend if you planned do this to scorch your tweets and then delete your account because if you deactivate your account and reactivate it but sweet stay there if it goes through the 30-day solution they're gone but so that in a nutshell is century and how it works let's actually go stop that real quick and I'm just running a visual studio because it's easy to run into bug mode like that but runs great from the command line so here is the features overall just [ __ ] my [ __ ] up fan mode which we'll get to the next slide we can do Twitter or the API check for a few

things I would really love if anybody has more suggestions on triggers on what to post that's all I could think of when we log onto Twitter on the web we can lock and deactivate accounts elite CloudFlare we can update DNS records and delete DNS records so for example just take your website down push over which I barely mentioned I've actually been getting notifications from pushover about what's been going on when it starts when it does actions what triggers something so if you set this up on a server you know monitoring you'll get push notifications and then conjuror which we talked about some things are still being worked on our multi-factor support which that one's real Tuffy the

way of currently working on it is you'll get a push notification sent hey we need to log into your Twitter account you click on it you open a web page you type in the code and then it stays authenticated and it tries to check whatever room remember me boxes it can and then keep the session alive by just refreshing it in the background so hopefully you shouldn't have to do it more than like maybe once a month or so whenever that expiration expires next we're looking on reddit via the API so it's gonna be blinking and deleting posts and reddit my web emailing or deleting accounts for email that's gonna be kind of something where I think the

lot of people have been asking me about a Deadman switch for this and that's where I think that could come into play because there are lots of Deadman switch services that will send an email if you don't respond to something after a certain amount of time and so just how to check your email and then check for the phrase of being attacked at being sure and then clustering support later on so you can have this running on multiple servers so if they do actually fail you have to worry about it this is the gist [ __ ] my [ __ ] up fan mode so he runs everything like you had had all the triggers sent its prompt for

confirmation skip that and it's a great way to call sentry from your own script so if you don't want to deal with that all stuff you want to have your own Python script go and detect all you know detect whatever you want and just call this to actually do the hard work of doing selenium stuff go for it those are the commands you run and you just stick some JSON in there or stick a file name there with the JSON it so on the left right there is the link to the code and the git repository if you don't want to type out my username t3 htv-3 rk1 tgen there's a shortcut M Wes slash

github and then that's me on the right good name Twitter account feel free to come questions I'd really love to get any ideas you guys have for services you want to have on this I'd know some people ask about Graham on Facebook what kind of services you guys would like to see be deleted or have your post deleted or what kind of triggers you guys would want to have or any suggestions for making this easier but that's all I got if you guys got any questions go ahead

so the question was can we set it up so that we can if you don't respond to a Deadman switch it'll send out information to like journalists or something or they Julian Assange WikiLeaks password type thing you could use that with the post functionality it's not quite the best fit because this is designed to delete but it's possible it's not quite the the what it was designed for but I think it would work

not yes because it's kind of rainy especially with the multi-factor being not quite there I'm kind of looking to get some traction on this idea because I don't think anybody's really thought about doing I know some people have thought about doing this but no one has really implemented it I guess at scale or across lots of people it's all been homegrown Python scripts running on like your laptop and stuff so I have had requests though from I want to say it's yes it was lawyers I was asked in Rochester about what lawyers they may use their social media stuff and then that could come up later in court or go I look bad again their character and

stuff for the bar exam so that's the ones who have been asked for outside of guess the hacker community they've asked about this so

what API is like the the Twitter API is easy the hard part is the sites that like it doesn't let you do eight your account without logging on to the web interface that's why we use selenium to go and click buttons and actually type in passwords and simulate everything that you would do as a human but which is surprisingly easy it's only like ten lines of code for that whole thing about deleting your account it's quite simple I love selenium and that's why we kind of have that this mode so that if you want to just have it do all the work and you just want to run it from your own thing go ahead pull welcome but all

right let's got any more questions I think we wrap it up thanks guys [Applause]