hckr.fyi // thoughts

Clean Up Your Online Accounts

by Michael Szul on

I hit the wrong key again. Staring at the screen with the twins making noise in the background, I'm wondering if I can edit out that part and make it a seamless cut, or if I'm going to have to overlay a transition. It also doesn't help that I fail to use the "Do Not Disturb" button in the Gnome notifications, so I cringe every time an email or messenger notification pops up in the middle of a screen recording. I generally have that software off when I'm in a state of concentration, but I record on days off—generally checking my email first before moving on to whatever tutorial I'm trying to accomplish.

Of course, I just installed this Kali Linux image on VirtualBox and wanted Sherlock to be one of my first tutorial videos for open source intelligence (OSINT) gathering. I might even do a few tutorials on Sherlock—an in-depth look.

Python? Check. Oh wait… wrong Python version. Python3? Check.

Great. Let's install some software.

First error? No pip found. Now I'm distinguishing between Pip or Pip3 and which one my installation needs.

Second error? No venv found. Let me just install that virtual environment package?

pip install virtualenvironment
    

Great. Wrong package.

sudo apt-get install python3-pip
    

There we go.

And all of that was recorded. That ought to give me some editing practice, I guess.

Anyway… Sitting here going through the Sherlock README and recording an explainer on screen as I use my own accounts to show how the software works, I realize how many accounts I have languishing out there unattended.

People search for you online. More importantly: Potential employers search for you online. I work in academia as a software engineering manager and live in the Western part of Virginia. There is another "Michael Szul" who used to work at West Virginia University before moving to Rutgers who is currently under investigation for bullying and creating a toxic work environment.

No relation.

If you search for "Michael Szul" these news stories come up though. That's bad enough.

There are certain things (like above) that you can't control. You might as well take care of what you can.


Continuing to record the tutorial video, I decided to run through three variations of usernames: szul, mjszul, and szul2012. The number of accounts that come up is rather astounding. Not all of them were mine, and that's fine, but honestly, the number of accounts that were mine were just as astounding—accounts that I forgot about intermingled with web sites I had never touched.

Nothing is worse than a forgotten online presence. You never know what you might have left on those accounts, and others researching you online aren't going to care about how old those accounts may or may not be—especially potential employers.

If you're not keeping an eye of your online presence… just remember, you never know who actually might be.


Why do so many of your accounts have the same password?

I cringe. Every time I need my wife's login information for a specific web site, I hear the same password over and over again.

You know this is a major security risk, right?

Educating someone between the value of inconvenience over the potential risk of a security breach is exhausting. I signed up for a LastPass family account over a year ago, and it was a painstaking migration and training effort to get the family on-board.

In many ways, security is not convenient; however, I also recently invested in some YubiKeys too.

Every little experiment helps.


Those in the information security field are familiar with Sherlock as an OSINT tool but it's also an important tool for the average user.

As mentioned, Sherlock allows you to search online accounts based on a username to get a list of potential web sites for researching individuals. Sherlock enables a malevolent scenario where a hacker can not just obtain information on users based on their online presence, but by having a list of these other accounts, it increases the attack surface for hacking into accounts.

Breaches happen all the time. The danger is often not in the breach itself. Most companies take proactive steps to lock accounts or force password resets when they realize that a breach (or a leak of passwords online) occurs. The problem is that many people are like my wife used to be: The same password for many different accounts. Chances are that if you're using the same password on multiple accounts, hackers are using the password from the breached account to try to access other accounts you might have. Sherlock enables hackers in this sense by giving them a tool to find other potential accounts to attempt to access with the stolen/leaked password from the original account.

The beneficial aspect of Sherlock is that by using this tool yourself you're able to research your online presence in a much more effective way than simply Googling yourself. You can use the tool to review other potential accounts you have, close old accounts, and change passwords for stale accounts.

To begin, clone Sherlock from the GitHub repository:

git clone https://github.com/sherlock-project/sherlock
    

Next, install Sherlock's requirements:

cd sherlock
    python3 -m pip install -r requirements.txt
    

If python3 is not available, see what Python version you have with python --version. If pip is not installed, you may have to sudo apt-get install python3-pip (or whatever variant is necessary for your operating system and Python installation).

Once installed, you can easily run Sherlock against your user accounts with:

python3 sherlock YOUR_USERNAME
    

Again, your command line arguments will be different depending on your operating system and/or Python installation.

This command will print the discovered accounts to the screen, but also store the links in a YOUR_USERNAME.txt file in the directory where you ran the command.

Armed with this information, you can start to update and/or remove parts of your online presence.