Privileged accounts

The year was 2008 and it was the dawn of a new world. Social networks like Facebook and Twitter were just starting to become popular and no one really knew what this thing called “social media” was all about. Many people in the security field felt like “zombies,” mindlessly using this new medium without spending the time to learn about the security and privacy risks that came with posting personal details to what was, for all intents and purposes, an open platform.

We also didn’t realize all the new ways that social media and other technology would change the way we live. Remember when Google Maps and MapQuest first came out? Before this technology, how did we ever drive from one location to another without a printed map and turn-by-turn directions, or without our phones barking at us to “turn left in 500 feet” (ironically, our devices are still giving us wrong directions)? Today, if you’re not following your family and friends on Facebook you’ll miss out on important events and updates that previously were told to us through other ancient forms of communication—you may remember telephones and “electronic” mail. We still use both of these technologies today, but quite differently than just a decade ago.

The emergence of zombies

From 2009-2013 Kevin Johnson and I presented a series of entertaining talks entitled “Social Zombies” where we discussed the security and privacy of social networks, location-based services (geolocation), mobile applications, facial recognition, and other new technologies just starting to hit the market. We discovered the same problems we found with social networks in each of these new technologies. The main issues were lack of privacy controls, security vulnerabilities, and uneducated (or unwilling to be educated) developers.

At the very beginning of this period, users didn’t take privacy and security seriously while using social networks, nor did the companies developing these technologies. After the first “Social Zombies” talk Kevin and I gave at the DEF CON 17 hacking conference, Kevin got into an argument with a Facebook developer during the Q&A that followed our talk. The talk itself was about vulnerabilities that we and other researchers had discovered in Facebook applications.


That Facebook developer told us we were crazy, stating that there was no way what we had demonstrated on stage in front of 500 people was even possible. He was sure of it. Kevin and I were certain of our (and our colleagues’) findings. Coincidentally, the developer also said his team was going to invite us to a Facebook party taking place in Las Vegas that weekend. For some odd reason, Kevin and I still haven’t received that party invite from Facebook.

To be fair, there was no real security team at Facebook back in 2009 and developers, in general, were mostly uneducated about security vulnerabilities introduced either through their own poorly written code or through the many different third-party developers who were leveraging the Facebook platform to create apps that thousands of people were using. Come full circle to today and things are very different from a Facebook perspective; Facebook has one of the best security teams around. Facebook aside, has anything really changed? It appears that security vulnerabilities, data breaches, privacy concerns, and poorly written code have only increased since 2009.

Zombies remain

Now that it’s been about 5 years since we last gave the final “Social Zombies” talk, Kevin and I are revisiting this very important topic at the InfoSec World conference in Orlando on March 19th. Our new talk titled “Social Zombies: Rotting Privacy, Moving Target” focuses on the Internet of Things, home automation, government surveillance, net neutrality, new privacy regulations, and what all this means to you and your business. If you’ve seen the news and are paying attention to what’s happening in the world you’re probably thinking it feels like we’re living in a zombie apocalypse. In a lot of ways, you may be correct!

However, there is a light at the end of the tunnel in that you and the organizations you work for have the power to do something about it, security wise, that is. We’ll talk about the tools, techniques, and policies that can help you fend off brain-eating social zombies during our session in Orlando, and we hope you’ll join us for a “lively” conversation.

To learn how you can protect your organization from IoT and increasingly connected device issues, attend InfoSec World 2018, March 19-21, 2018. Check out the online agenda here.