Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX

It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe.

We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report.

At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn more about how she succeeds working remotely as a digital nomad.

Her talk starts at 19:13 if you’d like to skip ahead, though we recommend watching her talk on the YouTube video embedded below to see Chloe’s travel photos and audience interaction.

Here are timestamps for the audio if you would like to skip around:
4:27 Vulnerability in wpCentral Plugin Leads to Privilege Escalation
7:11 Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
10:00 What is a “Zero Day”
11:28 Critical Issue In ThemeGrill Demo Importer Leads To Database Wipe and Auth Bypass
13:05 Keeping your WordPress installation clean
13:45 World Health Organization Warns of Coronavirus Phishing Attacks
16:28 Malwarebytes State of Malware 2020 Report
19:13 How to Succeed at Working Remotely as a Nomad – Chloe Chamberland’s talk at WordCamp Phoenix, video embedded below

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Chloe Chamberland on Twitter as @infosecChloe.

Please feel free to post your feedback in the comments below.

Transcript for Episode 66

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Kathy Zant, your host, and this is episode 66. So, we have a number of plugin vulnerabilities to discuss as well as audio from Chloe Chamberland’s talk at WordCamp Phoenix. Now, I interviewed Chloe a few weeks ago from a remote location in Alaska where she was seeing the Aurora Borealis as well as meeting a moose for the first time. At WordCamp Phoenix, she gave a presentation where she outlined what made her successful as a remote working digital nomad. Her talk was incredibly successful. I had a number of people come up to me after her talk saying how much they enjoyed it and the inspiration they got from Chloe’s talk. So, we hope you enjoy that.

Now, if you know someone that you think would make an interesting guest and think like a hacker, please reach out to [email protected]. We have a number of guests coming on the show in the next few weeks, but I want to hear from you. What are some of the challenges, some of the things you’re thinking about. What can we do to make your WordPress life easier? So [email protected], that comes to me and I will be in touch.

First of all, we have a new story about WordCamp Asia. Now, as many of you know, WordCamp Asia was canceled last week. The announcement came out, I think on February 11th, that it was canceled because of concerns in the region tied to the coronavirus. We did receive news that WordCamp Asia for 2021 has been scheduled. It is scheduled for January 2021.

Now, if you had a plan to go to WordCamp Asia and did not recoup all of your cancellation fees or found some financial hardship in this cancellation, there is a fund set up for some remuneration that could help you with that. That fund was started by Wordfence, and GoDaddy and Yoast also contributed. Now there are still funds available as a part of this assistance package. There is a process to go through in order to apply for assistance.

That is all detailed on the blog and I’ll have notes, links in the show notes.

We do have a number of plugin vulnerabilities to discuss today, but first I wanted to make a note, an editorial about plugin vulnerabilities and what it means for WordPress. Now there may be people out there that tell you “WordPress’s insecure, look at all the plugin vulnerabilities that exist.” I would take a contrary opinion to that primarily because the fact that WordPress is open-source means that plugin vulnerabilities, theme vulnerabilities, even vulnerabilities in core are disclosed, firewalled, patched much more quickly than a closed-source system might experience. So, the fact that we are seeing these vulnerabilities discussed and disclosed and firewalled is evidence that WordPress is secure and WordPress is secure more than I think other systems because of the community that’s associated with WordPress. It’s part of what makes WordPress unique. It’s part of what makes open source unique.

So don’t be afraid because you hear about plugin vulnerabilities and instead, feel empowered. Feel empowered by the fact that security researchers are poking at WordPress plugins. We are poking at WordPress core and themes and we are looking for vulnerabilities all of the time. This is just one way that WordPress and Wordfence and the other security researchers who are looking at vulnerabilities are working to keep your site, your business, and your assets as safe as possible.

So plugin vulnerability number one. This was published by Chloe Chamberland on February 17th. This was a vulnerability in the wpCentral plugin and this led to a privilege escalation. So, on February 13th, our threat intelligence team at Wordfence discovered a vulnerability in wpCentral. This was installed on over 60,000 sites at the time of our discovery. So wpCentral is a WordPress plugin. It’s designed to be used along with the wpCentral management dashboards. So this is another plugin that you plug into your WordPress site that allows you to basically manage WordPress through a different interface.

The software is designed to make site management easy and it has functionalities including automated sign-on with one click, as well as the ability to create backups, edit posts in their premium version and other things of that nature. So, this privilege escalation flaw allowed anyone that had an account on a WordPress site to basically escalate their privileges to that of an administrator, which is definitely problematic if you have a WordPress site that allows anyone to register. So if someone comes along and wants to register for updates and their level is a subscriber, they would then be able to escalate their privileges from a subscriber to an administrator, which of course, leads to a complete site takeover.

So of course, Chloe found this vulnerability, contacted the developer, and they made a number of changes to their plugin to ensure that their users are safe. We created a firewall rule to protect Wordfence premium customers and free users will receive that rule on March 15th.

And one note with this, even though we have a firewall rule in place to help protect our customers, it doesn’t completely protect against exploiting this vulnerability. So what’s really important if you’re using wpCentral to make sure that your site, your plugin is updated to the most recent version. You see, the problem is that exploitation and legitimate request via wpCentral look pretty much the same. So, if we’re going to block access to it being exploited, we would have to block legitimate requests as well. So, update your plugin.

The next vulnerability is a little scary. We heard about this actually from a customer, from a user who had seen some negative things happen on their site, and upon further investigation, we found that there was a zero-day vulnerability in a plugin called ThemeREX Addons, and that this is currently being exploited in the wild. We were seeing some rest end point usage that, because the REST-API endpoint was unprotected and improperly configured, we were seeing attackers actually adding malicious administrative users to sites that had this plugin installed.

So, we’ve investigated this and it appears that the REST-API endpoint within this plugin is unprotected and improperly configured. Attackers have already discovered this, and they are actively exploiting this on sites that are using this plugin. We estimate that there are probably about 44,000 sites that are using this plugin that are vulnerable. So we pushed out a firewall rule to premium customers. So they received that rule on February 18th at approximately 3:16 PM UTC to protect against this vulnerability being exploited. Free users will not receive this rule until March 19th. So if you are using this plugin, we are recommending at this point that you delete it from your site. Don’t just deactivate it, just delete it. It’s very good practice to remove any and all plugins that you don’t need on your WordPress sites if you’re not actively using them. And if you’re actively using this one, you obviously have to throw this in the balance.

What’s more important, keeping your site safe from intrusion or the functionality that you are receiving from this plugin? If the functionality is so great that you’re willing to take the risk, well that is your choice. If you positively need this functionality, now’s a good time to look at Wordfence premium because that’s going to protect you even though you’re using a vulnerable plugin. Now we don’t have a ton of data on who’s exploiting this vulnerability or what exactly they are doing other than the fact that we have seen suspicious administrative accounts on sites using this plugin. We will provide more details as they emerge. So if you’re unsure about this plugin and where it shows up, the plugin slug is “trx_addons.” So you would see that in your plugins directory.

So I guess now’s a good time to explain what a zero-day is. So a zero-day can be referring to a software vulnerability or it can be referring to an exploit.So it is a zero-day vulnerability or a zero-day exploit. So zero-day vulnerabilities refer to security holes in software. And now it could be in WordPress, it could be in your browser and could be in your phone. It refers to any vulnerability that exists in software. Now zero-days are not known to the software maker or to antivirus vendors. And so even though this vulnerability is not publicly known, it may be known to attackers who are quietly exploiting it, such is the case with this plugin. So think of a zero-day as basically an unlocked door, an open window, just a way into a system that attackers know about. As I’m sure you’re aware, zero-days are never any fun. You probably don’t discover that your software is vulnerable until you see exploits coming at it. And this is extraordinarily unfortunate when the users of your software are the ones experiencing the exploits.

Our final plugin vulnerability of this week was discovered by our friends at WebARX Security. They found a critical issue in ThemeGrill Demo Importer and this critical vulnerability led to database wipe and authorization bypass. So basically, it was allowing any authenticated user to get into a website, wipe the database, and basically become an administrator. At the time of discovery, this plugin had over 200,000 active installations and it was used to import official theme demo, content, widgets, and other theme settings with just a click. It was not required in order to use any of the ThemeGrill themes. It was just something that basically helped you get started. So it was not something that really needed to remain on a WordPress site. Yet many users, over 200,000 of them, had this installed. Now, after this vulnerability was disclosed, the install count dropped drastically. I guess people were saying, “Hey, I don’t really need this after all.” WebARX discovered this on February sixth and released a patch to all of their customers and reported that issue to the developer. And the developer published a new version which fixed the issue on February 16th.

So either update that plugin or if you’re not using it, just remove it from your site. Just another lesson in keeping your WordPress installations pretty tight and clean. If you are not using a theme, you should remove it. Don’t just deactivate it, actually remove it, delete it from the site. If you aren’t using a plugin, don’t just deactivate it. I have cleaned numerous sites that basically looked like the digital edition of Hoarders with hundreds of plugins installed and all deactivated and, of course, not updated. Really keep your WordPress installations updated and clean and of course, use Wordfence.

In non-WordPress security news, we have a couple of stories that I just wanted to bring to your attention. First of all, of course, there is fear in the world. Everyone is very concerned about the coronavirus, and phishing scammers see this as a perfect opportunity. Because when you are in a state of fear, you are apt to make decisions that you normally wouldn’t in your life. So phishing scammers are posing as the World Health Organization (WHO) and they’re trying to exploit coronavirus fears.

So, the WHO says that they are seeing offending emails, asking recipients to hand over sensitive information like usernames and passwords, and they’re including malicious links and attachments that are triggering installation of malware. Any time you see an email that is triggering fear, that is asking you to take immediate action or grave things are going to happen in your life, you need to take a step back from the computer and take a deep breath, and then maybe take another deep breath, and look carefully with the discerning eye at whatever is trying to trigger you into taking immediate action. Scammers prey on our fears and they prey on our fear of missing out, our fear of loss. And it’s just extraordinarily unfortunate as we are all dealing with this crisis that scammers are stepping up to the plate and taking a swing. But hackers gonna to hack and scammers gonna scam, and it’s just up to us to remain vigilant. And it’s important for us to not just remain vigilant for ourselves and for our family, but for our community as a whole.

Spread the word, educate older people who are often victims of scams like this, let them know what phishing is. Let them know how phishing works and let them know how scammers work. And it’s not just happening in emails, I’m sure. I’m sure it’s happening via telephone, via text, and it’s important for us to educate everyone we can so that everyone can stay safe. When everyone’s safe, it takes away the financial incentive that scammers and hackers have because we are on to them. Scammers and hackers and even spammers wouldn’t do what they do if it wasn’t profitable. So by reducing the surface area of their profitability, by keeping our communities safe, we make the world safer for everyone.

And in our final story, Malwarebytes Labs released their State of Malware report for 2020 last week. They took a look at the threats to both Mac and Windows/PC, the TL;DR or the too long/didn’t read, of this entire thing, is that malware and hackers and scammers and everyone we’re fighting against are becoming increasingly sophisticated.

What does that mean to you and me? It means that our defenses need to become increasingly sophisticated. So, I’m a Mac user, and I remember a time not long ago when Mac users were able to say, “Well, we don’t get malware because all of the malware is on Windows.” In 2020, Malwarebytes is reporting that Mac threats increased exponentially in comparison to those against Windows. Now, something to consider is that more Mac users are using Malwarebytes, so of course, they [Malwarebytes] are seeing more malware. When calculated end threats per endpoint, Mac still outpaced windows; however, by nearly two to one. So maybe, I need to apologize to all my windows using friends. Another takeaway from this report is that if you are working in the enterprise, the volume of global threats against business endpoints has increased 13% year over year, with aggressive adware, Trojans and HackTools leading the path.

Organizations are being hammered with Emotet and TrickBot to Trojan turned botnets that surfaced as the top five threats for nearly every region of the globe. TrickBot detections in particular had increased more than 50% over the previous year. I’ll have a link to the full report. The biggest takeaway I think just looking at the state of computing right now is that it is incredibly important for us to stay on the front lines, to stay informed. Education is the number one tool in staying secure. If you know what the hackers are up to, it is incredibly easy to stay protected. If you are unaware of how malware works, of how hackers work, how scammers and spammers and phishers and all of these bad guys are operating, this is when you are caught by surprise.

So, we are here to ensure that you are aware of what they’re up to so that you can protect the things and the people and the websites of course that are most important to you. That is the news for this week.

Up next is Chloe Chamberland at WordCamp Phoenix. We hope you enjoy this [talk]. You can also watch the full [talk]; it is released on our YouTube channel with all of Chloe’s slides. This is a good one to watch actually because you can see all of Chloe’s amazing pictures of all the places that she has been fighting the bad guys and helping customers recover from those attacks. She has been to some pretty amazing places. So thanks for listening and we will talk to you soon.

Chloe Chamberland:
So, who am I? I am a threat analyst at Wordfence. I go on the hunt for vulnerabilities and things inside of plugins and themes, and I have worked in multiple roles there. So I used to be a site cleaner, so I would clean hack sites and work with customers for that. And I used to be a customer service engineer, and so I was heavily [involved] or helping customers. And I did all three of these roles while traveling. So I think you can handle just about any role working remotely, and I highly recommend doing so. And I like to say I have two passions. I love security and I love traveling and I get to do both and it just makes me really happy and excited and hopefully I can inspire you to start traveling while you’re doing it or give you some tips if you already do.

I never really decided, I want to just go travel and work at the same time. It just kind of happened naturally. So I never really did any research. And so today I’m going to share with you some of the things that I learned from it and share with you some of the experiences I’ve had, and see why you might want to do it. So where I’ve been, I’ve been kind of around the world a little bit. I’ve been to China, Japan, London, Barcelona, Italy, a bunch of places in the States, a bunch of places in the Caribbean, a bunch of places in Canada. Last year, I spent 150 days away from home and this year my goal is 220 days away from home. And I’m hoping eventually I can go fully remote, like three months at different places all year long. I just have cats, and I need to figure out a way to get them to come with me because I love them so much.

Okay, so why travel when working? I feel like there’s kind of this connotation that when you’re traveling, you’re on vacation almost, but it’s not like that at all. It’s totally different. You’re traveling. It’s not always peachy and easy and it’s a challenge, but I genuinely think it’s so worth it. And I think if you’re at home working and you don’t have anything to do after work or things like that, why not be somewhere else in the world and be somewhere where you can explore at the end of your work day?

And so that brings me to travel is worth it. I have this quote from Anthony Bourdain that I just wanted to read. “Travel isn’t always pretty, it isn’t always comfortable. Sometimes it hurts. It even breaks your heart but that’s okay. The journey changes you, it should change you. It leaves marks on your memory, on your consciousness, on your heart, and on your body. You take something with you, hopefully you leave something good behind.”

And I think this applies both to working while you’re traveling and just traveling in general. It’s not always going to be easy. It’s not always going to be pretty. You’re going to see different things that are going to open your perspective and change your mind, but it is so worth it and it makes you a better person every single day and it makes you appreciate a lot of things in life more. So, one of the first main points is you’re going to have beautiful experiences. You’re going to see different places, you’re going to try different foods, you’re going to meet amazing people. And I’m about to start crying.

So, when I went to Japan we were standing in the subway just like trying to figure out where to go. We knew where we were going. We were just kind of indecisive and these two boys just came up to us and was like, “Do you need help? Do you know where you need to go?” And genuinely touched me so much that these people cared to help and same thing happened in Vancouver. We were lost, and someone came up to help. And I love interacting with these people that are just so willing to help and you get to experience these different cultures and you get to see these amazing things and I think that definitely makes travel while you’re working completely worth it even though there’s challenges. Which brings me to my next point is you’re going to have difficult challenges and you’re probably wondering why I would put this as why do you want to travel and work at the same time? But I’ll get to that in a second.

So you’re going to experience things like not having your VPN work when you need it to work. And that’s something I experienced in China. I didn’t plan, I obviously didn’t do any research and when I got there my VPN didn’t work and I need my VPN to do my job. So I just ended up having to take the whole week off which kind of sucked because I like to keep working and saved my PTO. And then you’re going to have challenges like wifi not working and you’re going to have just general travel challenges which is being in a different place after spending 36 hours on a plane. You were working on the plane, you could barely sleep. I have problems sleeping on planes. But with those difficult challenges and those beautiful experiences, you’re going to have personal growth. You’re going to grow as a person.

I personally have very bad anxiety, which has gotten so much better since I started traveling. I don’t do well in crowded spaces or things like that, but as I’ve traveled more and experienced different things and grown from these experiences, I have become less anxious of a person. And you can also just grow in the mindset. You can open your mind so much more and be more appreciative of everything in life. What brings me to my next point is you’re going to have a lot more positive energy and happiness. I’ve been through things traveling and you would too probably that would be challenging at the time. But you learn from those experiences and eventually things aren’t as bad as they were when you first started. You’re going to be more positive, you’re going to have a better outlook on things in certain situations and things that were bad, weren’t. And then with happiness, I am personally really happy because I travel all the time. I got to see a moose last week in Alaska, and I almost cried.

I feel like I get to be happy almost every single day. I mean obviously not every single day, but I definitely think that traveling has generally made me a happier person. And then for me, since I love my job so much, I feel like traveling helps me have a better work-life balance. So if I’m at home, I can sit on the computer all day just because I love my job, and I don’t want to disconnect from it. But when I’m traveling, I have that ability to disconnect cause I have something else that I love that I want to go do and I want to go explore. And I think if you have that same passion for your work, you might also have that same issue. So traveling might help you break away from working all the time, every day.

And then, where to begin? So you want to become a remote traveling worker and you don’t know where to start. Well, hello, hello. Okay. First things first, if you get a remote job if you don’t already have one or if you work for a company, you can try talking to them and seeing if they’d be willing to work out like you traveling for a little bit at a time and things like that. There’s so many great options. We’re obviously at a WordCamp, and so you can develop plugins, you can become a blogger, you can do so many different things. There’s so much freedom with WordPress and I think that’s how we all can have the ability to work remotely and then travel while doing so.

And then this one is make sure you’re prepared for your first trip if you haven’t done one yet. More so mentally. Things aren’t going to be perfect and you need to understand that things will go wrong and things are going to be frustrating. And just make sure you’re ready for that, and make sure you’re ready for things to go wrong. And I think that’s where you should be prepared, and you should plan like I never did.

And so then you’re going to want to plan your first remote work trip. My first trip was to Vancouver, it was a couple of weeks after I started at Wordfence, and I missed a meeting because they said I didn’t have to go to all the meetings, and I shouldn’t have done that. And I learned from that. And so with that trip I was on a boat for a couple of days and then in the Vancouver Harbor, I want to call it, I don’t know. But the first night we got there it was raining, and it was after a long flight and we took a dinghy out to get to the boat and it wasn’t the best. But then the second night it was great.

And so for your first trip I suggest doing a small little thing that is really memorable and then for the next few days, make sure you’re working while you’re there and seeing how it kind of flows. So when I travel now, I mostly do my things on the weekend, and I work during the week and just kind of get a feel for how that’s going to go for you.

And then I want to recommend starting small and gradually increasing your tripling. So don’t decide, oh, I’m going to go travel forever and find out you don’t like it just a couple of weeks into it. So I recommend starting smaller and then gradually increasing your trip lengths as you go. That’s how I kind of did it. I live in Florida, so I made little trips to Disney and St.Augustine and things like that. And it just kind of grew and grew over time. And last year I did two months away from home. And this year I have a few trips planned where it’s a month away and then I come back for a month.

And then once you have a feel for it and you decide that you do like it, I recommend determining how long you want to stay at places. I kind of figured out that a week isn’t really enough for me and I want to start staying at places for like a month at a time so I can kind of immerse myself a little bit better. Because when you’re working every day you don’t have as much time as if you’re just going to one destination. So I highly recommend staying longer, but figure out what works best for you. So my best single piece of advice is going to be to plan. That’s what I never did, and I think that would have saved me from so many different sticky situations that I had.

Determine your comfort zone. So, in that photo there’s a little outhouse. This is where I stayed in Alaska. It’s negative 30 degrees (Fahrenheit) there and I had to go to the bathroom in the outhouse and I was not okay with it at the start. But I actually enjoyed it, it’s nice, you have the birds chirping outside. And it wasn’t in my comfort zone before, but it’s in my comfort zone now. And so kind of figure out what your comfort zone is and then make sure you adapt with that over time. Figure out what kind of places you want to stay at, where you want to be. Do you want to be in places with lots of people? Are you going to be in places with little bits of people. And do you want to have fast working wifi all the time or are you comfortable working on one megabit per second? And kind of figure out what you’re comfortable with.

So, my second piece of advice is to budget accordingly. On my two month trip last year I was supposed to go to Paris at the end of it. I had flights booked and everything, but I ran out of money so I had to fly back home and that kind of sucked because I really wanted to go to Paris. But the lesson was learned there. Make sure you have enough money, budget accordingly. Make sure you say, “Okay, I’ll spend this much on food tonight. I’ll do that tomorrow.” I’m kind of in this place where I cook every night and then like do one night out at a nice place or do snacks here and there so I can try to taste all the different places. It’s important to consider accommodations, food and everything and your flights and make sure you budget accordingly.

Determine your workspace requirements. This is my boyfriend, we were at the Shanghai airport and that’s our makeshift desk because there was no tables or chairs available. Two luggages stacked on top of each other. And then our carry-on bags were our chairs. So you kind of want to determine are you comfortable working in a bed? Are you comfortable working at a desk? Do you need a co-working space? Do you need these certain things? And then you’ll also want to take that into account when you plan where you go and your budget. So if you want to go to somewhere, you’ve just got to make sure that they have your workspace requirements ready for you.

And then work out your work requirements. Like do they require you to use a VPN? Do they require you to do full disk encryption? Do they require you to not go to certain places? And I also would like to recommend that talk to them and let them know when you’re going to be places and if you work for yourself, this is not relevant. But if you do work for a company, make sure you let them know where you’re going. That way if you have any hiccups like I did, then they are already informed, and they’re going to be willing to help you and work things out with you. And then set your schedule accordingly.

There’s different time zones everywhere and if you’re on one side of the world and you work for a company and they’re on the other side of the world, or you’re a freelancer and you work with clients and they’re on one side of the world and you’re on the other, you need to make sure you’re setting your schedule accordingly and making sure you’re going to be available for anybody that might need you at work. When I went to China, my plan was to work from eight to 12 in the morning and then eight to 12 at night and then get my rest and do things during the day in that eight hour chunk. And well I ended up not being able to work. But that was my plan and I think you should set schedules in advance and then try and work with those when you’re in the place.

Now, always remember that things will not always be perfect, like ever. Hiccups are always going to happen. I don’t want to say never going to go as planned, but it probably isn’t going to go as planned a lot of the times. And so you just got to keep that in mind. And you got to take things slow and absorb everything. You got to make sure that even though things aren’t always perfect, you want to make sure that you’re still enjoying every little thing. So when I went on a Norwegian fjord cruise, my wifi cut out halfway through the fjords and I was pretty bummed about it, but I was like,”You know what? I’m in Norway, I got to just breathe, I can’t get my work done, it’s not going to be a problem.” And so you got to make sure that you remembered to take everything in even though work things might not go as planned. Because you can always work and make up your work. It’s not always guaranteed that you’re going to go back to a certain place that you’ve been or experience one particular moment that you’re in.

And then document everything. Make sure you take a lot of photos, make sure you take a lot of videos, write down notes. I think this is really important because once you’ve gone to a lot of places, you might start slowly forgetting certain things and then when you have these photos to come back to, you’ll be like, “Wow, I totally forgot about this. But I really loved it.” And I’ve had that happen multiple times and I think it’s very important to document everything. And then consider private journaling or blogging. We have WordPress, we can make blogs and we can share our stories with everyone. That’s something I’m personally trying to work on now is coming up with a blog and I’m trying to share my stories with other people. Because I have something to learn from you and you have something to learn from me, hopefully. Maybe. Yeah. So I like to share what I’ve learned and things and I think it’d be great if everybody shared everything that they learned. Because then everybody would not know everything.

And then I have some helpful resources for success. So this is a program called Remote Year. They provide, I think I want to say 3, 6, and 12 month programs. And they take care of your travel and accommodations and things like that. I think it’s five grand for a down payment and then two grand a month.

This is if you want to work and not have to worry about any of the travel planning. My favorite part is the travel planning, so I like the flexibility and freedom and finding good deals and things like that. So this isn’t for me, but it definitely can help you out if you don’t want to have that headache.

And then workingnomads.com is a place where you can find remote jobs if you don’t already have one. I like that the first three were WordPress because Automattic is a fully remote company as is Wordfence and a lot of other plug-in companies, and WordPress hosting companies.

Okay, and then I wanted to show you this one, Nomad List. It’s a really awesome resource and it can help you plan where you’re going to go. So let’s say you want to stay somewhere where the internet speed is higher, you can select internet speed right here, and then you can scroll down and you can see a lot of places that have higher internet speeds if that’s a requirement for you.

And then you can see the cost of living, you can see a cost of living for family, you can go to the scores, you can see the nomad scores, internet speed, humidity, walkability, all sorts of helpful resources for you to decide where you want to go on your trip.

Audience question:
Can you put up that last website you mentioned and the name of it again?

Chloe:
This one? Working Nomads.

Audience question:
No, the one you just finished.

Chloe:
Nomad List?

Audience question:
Yes. Thank you.

Chloe:
Yeah. And then I like to recommend Airbnb for accommodations and you can find really good bargains on there. In Thailand, you can stay there for $300 a month, which is on my list of places to go, and so you can find really reasonable places. And if you’re going to be traveling and you want to keep your house and you’re comfortable letting people into your home, you might want to consider Airbnb-ing out your house. You don’t have to do that obviously, but you can consider doing it. I personally do it and it helps me travel more, so I definitely recommend looking into that if it’s an option for you.

And then, because I’m a security professional, I just wanted to throw some security tips at you for while you’re traveling. Use a VPN wherever you go. If you’re going to be working in coffee shops and in public spaces, you want to use a VPN to make sure that your traffic is going to be encrypted when it’s running through the web. And make sure that nobody can ease drop on your traffic and steal work data or anything like that.

I recommend using a password manager and an authenticator app. Make sure you have one that’s going to be compatible with your phone and your computer. There’s LastPass, 1Password. Those are the two that come to my mind. Use an authenticator app that works offline.

Don’t use SMS. SMS isn’t secured, kind of. So use an authenticator app because if you go on a cruise like I do, you don’t have … I don’t pay for Wi-Fi on more than one device so I can only have one device logged in at a time. And having an authenticator app that works offline allows me to do that and log into my sites without having any issues.

And then use full disk encryption. If your devices are ever stolen, people won’t be able to steal the information off of your devices. And if you’re storing work data on there, this is pretty important because you don’t want someone to get ahold of any secret information.

Disable Bluetooth when not in use because if you’re working in public spaces and you have Bluetooth enabled, people can actually intercept the session and get access to your phone and things like that. And you don’t want that to happen, especially if you’re dealing with work.

And then be aware of your surroundings. Consider getting a privacy screen on your computer. If you work on airplanes and things like that and coffee shops, you don’t want people to be able to look at your screen and see what you’re doing. I work on airplanes a lot of the time. And I need to get a privacy screen and things like that as I start traveling more, and it’s definitely something you should consider. And just generally be aware of your surroundings, and seeing if anybody’s trying to look at your computer or things like that.

Then thank you. You can find me on Twitter @infosecchloe. You can email me at chloe[at]wordfence.com if you have any questions. And, again, my slides are available at chloechamberland.com/wordcampPhoenix. And now I’m happy to take any of your questions.

Chloe:
Yes?

Audience question:
What do you recommend for a VPN?

Chloe:
What do I recommend for a VPN? I use PIA. There’s several different options, though, so I recommend just looking up the best VPN options and then looking at some of the reviews of the top few and then seeing what works best for you.

Chloe:
Yes?

Audience question:
How do you pay for [inaudible] cash or do you just pay with credit card?

Chloe:
What was the question? It is how do you deal with different currencies at different locations?

Audience question:
Yeah.

Chloe:
I use credit cards and then sometimes I take out cash. I have a zero … I have a fully online banking company that does zero charges on ATM withdrawals and and foreign transaction fees. So that’s definitely the way to go.

Audience question:
Can I ask what bank that is?

Chloe:
Yeah.

Audience question:
What bank is that?

Chloe:
Oh, what bank? I use Bank of the Internet.

Audience question:
Bank of the Internet.

Chloe:
Yeah. Oh, sorry. It’s called Axos now. Yeah, they changed the name.

Audience question:
What did you do with the cats? What did you decide?

Chloe:
What did I do with the cats? They’re at home, and my boyfriend’s mom watches them for us every time we go. I need to get them to come with us.

Audience question:
What do you do about a hot spot or cellular Wi-Fi access?

Chloe:
What do I do about a hotspot or cellular Wi-Fi access? I currently don’t have a hotspot yet, but that’s something I’m looking into right now. I usually just use my phone in the the U.S. as a hotspot. But my cell phone, I have T-Mobile and it works in just about every country out there. So that’s what I do for my cell phone.

Audience question:
And when you said you were working with clients, how are you communicating with them? What app or resource are you using?

Chloe:
Yeah, so at work, we use a ticket manager system, because I was dealing with customer service regarding plugins and things.

Audience question:
… calls with them or anything?

Chloe:
No, no calls. It was fully online. Yeah. Any other questions? Yes?

Audience question:
What’s the longest trip you’ve taken?

Chloe:
The longest trip I have taken was two months long. Yeah. I’m hoping to go fully remote eventually.

Audience question:
Where to?

Chloe:
That was the one to … So we took a cruise to London and then we had to fly back to do something real quick. And then we flew back to London, took a cruise to the Norwegian fjords, and then we flew to Italy from there, spent a few nights in Rome, then went to Venice, and then we flew from Venice to China and stayed in Beijing for a few nights, and then we took a cruise to Japan, went around Japan a little bit, and then Japan back to China, went to Shanghai, went to Disney a little bit, and then that’s when we had to fly back home. So we went to Seattle, stayed there for a couple of nights, and then flew back to Florida. Yeah, it was fun.

Audience question:
So with your current job, is it project based where you can kind of go on whenever you want as long as you do 40 hours a week? Or do you have to log in at certain times just with the time zone difference. I’m curious.

Chloe:
Yeah. So my work is pretty flexible. I don’t have to deal with customers as much anymore. I do have core hours, but it’s only like a four hour time period. And the people I work with are so flexible that it’s not that big of a deal to have to be there as long as I communicate with them and let them know, “Hey, I’m going to China. The time zone’s 12 hours different,” and they’re really flexible working with me. Yeah.

Chloe:
Yes?

Audience question:
How do you keep yourself focused on your work and not get distracted by other things when you’re working?

Chloe:
So how do I keep myself focused and when I’m traveling? I love my job. I really do. So that really helps me sit down and get my work done. I get to go hunting for vulnerabilities and plugins and things. I have free reign to just explore. I absolutely love it. And so that’s kind of what keeps me settled in.

And so if you’re planning on going remote and working and things like that, find something you love to do. It’ll help you.

Chloe:
Yes?

Audience question:
You mentioned Airbnb. Were there any other resources you use to find lodging?

Chloe:
Yeah. So I mentioned Airbnb. Is there any other resources? There’s Vrbo. Hotels are always an option. I generally stick to Airbnb. That’s just my favorite platform to use and it’s really easy and I can always find cheap things for wherever I need to go. So that’s my main one.

Audience question:
The one time I’ve used Airbnb, I had a rude shock because it wasn’t what it was advertised as. …

Chloe:
I haven’t had that happen. I’ve stayed at several Airbnbs. But that can happen. You have hosts opening their homes. It can take … Actually, I did. Okay. So I just remembered. So when I went to Vancouver on that boat, there was these pictures of this really nice boat, clean, had like a nice table and everything. And I got on it and it was raining and everything and the boat was not what it pictured at all. The bathroom was really small and there was no area to sit. It was just a bed that was damp and cold, and not like the photos at all.

Chloe:
But I still like Airbnb and I gave it another shot, and I’m actually staying at one down the street and it’s nice, and it’s nice to have a kitchen and things like that with it.

Audience question:
You’ve found that it’s generally honest?

Chloe:
Yeah, it’s generally honest. Yeah. yeah.

Audience question:
Do you mind if I add to that question, too?

Chloe:
Yeah, of course.

Audience question:
So another cool way to travel, if you’re looking for lodging options or alternatives, you can do house or pet sitting in different countries and so you stay at that house for free. Sometimes they’ll even pay you or leave food in the house for you. So if you’re going to be working remotely, you can stay at someone else’s house, maybe just pet their cat every few hours and make sure it has food and get free rent. So that’s another idea.

Audience question:
That’s nice. Thank you.

Audience question:
Yeah.

Chloe:
Yeah, I know exactly what you’re talking about because I looked into that. I don’t remember the name of it, though.

Chloe:
Yeah?

Audience question:
Do you ever hire a local to be a guide for language purposes?

Chloe:
Do I ever hire a local to be a guide for language purposes? Not right now. I haven’t really gone to anywhere yet that’s been like too drastically different where I required that, but I’m going to Morocco next month and I was going to hire a guide for a day. It’s actually really reasonably priced there, and so that’s somewhere I’m going to do it.

Audience question:
And how do you find them?

Chloe:
Airbnb. They actually have experiences now and so that’s where I’m going to test this out and see how it goes.

Chloe:
Any other questions?

Audience question:
Where are you going in Morocco?

Chloe:
I’m going to Marrakesh.

Audience question:
You going to go to Chefchaouen?

Chloe:
What’s that?

Audience question:
You going to go to Chefchaouen?

Chloe:
No. What’s that?

Audience question:
The Blue City. It’s [inaudible 00:47:46] one of the Atlas Mountains.

Chloe:
Okay. I’ll look into that. Thank you.

Audience question:
Have a nice trip.

Audience question:
Where all are you going on your next trip?

Chloe:
So next month I am going on a transatlantic cruise. I’m going to get dropped off in Barcelona where I fly to Morocco and then I’m going to spend a week in Marrakesh and then I’m going to fly to Sweden, spend a week there. I’m going to come home. I’m going to be there for two weeks and then I’m going to take another cruise that drops me off in London, fly back from there. And then the next month, I go off to Japan, which I’m really, really excited to go back to. I’m going to be there for a week and a half, do another cruise, a transPacific that takes me over to Vancouver, and then I’m going to fly home.

And then I have some more trips planned towards the end of the year, another couple of cruises in Japan. And then at the end of the year, I really want to go to Europe for a month and see all the Christmas markets in December.

Audience question:
I know cruise internet is often slow and expensive. what do you do for that?

Chloe:
Yeah, it is really slow. What I do is I just kind of account for that and spend a little bit of extra time each day. And I stick to one cruise line, Royal Caribbean, because they have the cheapest Wi-Fi, so that’s how I make that work.

Chloe:
Any other questions? Yes?

Audience question:
You seem to be traveling quite a bit. Is it by choice or is it becomes you employer requires you to be at the location?

Chloe:
Is it by choice or is it because my employer requires me to be anywhere? It’s completely by choice. I choose to do this all the time and I really enjoy doing it.

Audience question:
I remember doing a lot of work for customers in California. And then when I moved out here to Tucson, to Arizona, I found that we worked together for a while, but after six months of not being in contact with them face to face, they started losing interest in and then going elsewhere to somebody else that they develop a relationship with. How do you keep the relationships going when you’re not there?

Chloe:
So I work for a company, and they’re just fully remote, and so all of our communication is done through the ticketing platform. And I’m not sure why they haven’t lost touch. It’s not like we provide like a long-term service to our customers. It’s more of like one time kind of thing.

So like when we clean a hacked site, it’s going to happen one time, so I would communicate with them for a day as I clean their site, and they would go about their way. And if they ever had any problems, they would just come back to us and we could help them out there.

Specifically speaking towards keeping relationships, I could recommend a conference calling. Did you do that? Like face-to-face on Zoom.

Chloe:
We do that now.

Chloe:
Yeah? Okay.

Audience question:
And you don’t have trouble with connectivity with the Zoom call or something like that?

Chloe:
No, I’ve been able to handle my meetings and things like that just fine wherever I’ve been.

Audience question:
Was the question about …

Chloe:
Communicating with customers. Yeah.

Audience question:
Yeah. …

Chloe:
Yeah, yeah. Mark’s back there. He can definitely help you with that. He’s the CEO of Wordfence and knows how things run. All right.

Audience question:
Are you going to any WordCamps?

Chloe:
I’m going to WordCamp Miami at the end of this month, and then from there I’m not sure yet, but I’m sure I’ll be at more.

Audience question:
Awesome.

Chloe:
Any other questions?

Audience question:
If there are any apps that are helpful for traveling?

Chloe:
Any blogs?

Audience question:
Apps.

Chloe:
Apps? I personally don’t use any so I couldn’t give you any right now, but I definitely need to look into some that can help manage my travel a little bit better. I just haven’t had time to fully dive into that.

Audience question:
When is your blog starting?

Chloe:
When is my blog starting? Yeah, so my website is chloechamberland.com and I’m hoping to start writing posts for that, and I’m trying to share everything I’ve learned and hopefully give tips and things like that so it makes it easier on other people, and maybe people will comment and give me their advice, too, because I’m always welcome to learning more things.

Any other questions? All right. Thank you guys so much.

Kathy Zant:
Thank you for listening to Think Like a Hacker episode 66. We hope you enjoyed it. If you’d like to follow Chloe, she is @InfoSecChloe on Twitter. You can follow me @KathyZant on Twitter. You can also follow the @Wordfence account with all the latest news about WordPress and security.

And we’d love to hear from you. If there’s someone you’d like us to talk to as an interview subject or if there is a topic you’d like us to explore more in depth on Think Like a Hacker, we’d love to hear from you. [email protected] comes straight to me, and I can make those dreams come true.

Thanks again for listening and we will be back again next week. If you’re going to be at WordCamp Miami, please do find me. Say hi. I love to hear from people who are listening to the podcast. We’ll talk to you soon.

The post Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX appeared first on Wordfence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Tap To Call