Podcast Episode 63: Succeeding as a Remote Working Nomad with Chloe Chamberland

Chloe Chamberland never wanted to get into security, and yet in the last three years, she has emerged as one of our most effective and prolific threat researchers. Not only does she find vulnerabilities in numerous popular plugins, she also travels the world while doing so. Chloe talked to me from a cabin in a remote area of Alaska, where she saw a moose for the first time. Chloe talks about how she got started in security and gives advice for young people who think they might enjoy security research. She also tells us why she loves speaking at WordCamps, the scariest vulnerability she’s discovered, and how she’s working with more developers to make their code secure.

In the news, I cover some recent WordPress plugin vulnerabilities, why cloud firewalls can be bypassed, and what site owners might need to watch for in Google Chrome’s upcoming SameSite cookie changes.

Here are timestamps in case you’d like to jump around, as well as links to primary sources.

2:08 Vulnerability in Code Snippets plugin
2:45 Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin
3:38 Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin
5:01 Infinite WP Client and Time Capsule Vulnerabilities
7:05 How Cloud Firewalls are Bypassed
7:55 Google Chrome SameSite Cookie Changes; Troy Hunt’s experiments with SameSite Cookies
12:03 Chloe Chamberland talks about how she got started in security, traveling while working, and how she finds worst-case scenarios with plugin vulnerabilities

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can reach me on Twitter @kathyzant. You can find Chloe at @infosecchloe.

Episode 63 Transcript

Chloe Chamberland:
A little query with a couple of parameters and you were suddenly escalated into administrator. It’s a pretty scary one.

Kathy Zant:
Welcome to Think Like a Hacker, welcome to 2020, and welcome to our new audio-only format. I am Kathy Zant. I am Director of Marketing here at Wordfence, and I’ll be your host for this, episode 62 (misspoke, this is actually episode 63), of Think Like a Hacker, the podcast about WordPress, security, and innovation. We started this podcast in March of last year with the intent of bringing you deep dives on the most important news stories in WordPress security, and we’ll continue to do that. Our ultimate goal with this podcast is empowerment.

Security can be scary, sure, but when you learn to think like a hacker, you learn to empower yourself. You see things differently. Our goal is to make everything we talk about, no matter how complex the technology, accessible to everyone. If there’s a story you’d like us to cover, please reach out. You can email me at kathy at wordfence dot com, and I’d love to hear from you.

By switching to an audio only format, we’ve got greater flexibility in bringing you the stories that matter most to you, and today’s podcast guest is a perfect example. Today, I chat with Wordfence Threat Analyst, Chloe Chamberland. She joins us from a cabin in a remote part of Alaska where she just finished her research on a vulnerability she found in the Code Snippets plugin, currently installed on over 200,000 WordPress sites. But first, let’s deep dive on some news stories.

We have had an active start to WordPress security for January 2020. Some important vulnerabilities have been discovered and let’s dive into those. Now, Chloe has discovered vulnerabilities in three plugins with large installation bases in the past few weeks. Most recently, she discovered the high-severity cross-site request forgery to remote code execution, vulnerability in the Code Snippets plugin installed on over 200,000 WordPress sites, including a couple of my own. Now, the blog post for this and the other vulnerabilities we discuss today will be in the show notes, and I recommend that you take a look at the short two-minute video that Chloe recorded showing us exactly how an attacker could trick a site owner into installing malicious code on their own site, as well as to add a malicious administrative user.

She also found multiple vulnerabilities in a plugin installed on 80,000 WordPress sites called the Minimal Coming Soon and Maintenance Mode — Coming Soon Page plugin. It’s a pretty flexible plugin but had some security issues. Chloe worked with the developer to ensure that the vulnerabilities were patched. She then worked with our threat intelligence team to make sure our firewall was blocking attempts to exploit these vulnerabilities, and then published her research.

She also goes the extra step to make sure that the vulnerability is listed in the WordPress vulnerability database. This is a tool that Wordfence leverages to let you know when a plugin update has a security patch. It’s nice to get those Wordfence emails, letting you know that a plugin has a security issue so you can take quick action to keep your site safe. Chloe also found easily exploitable vulnerabilities in the WP Database Reset plugin. This is another plugin with over 80,000 installs. This vulnerability was picked up in the security press covered by numerous tech publications including ZDNet, ArsTechnica, Slashdot, TechRadar, and others.

This was a fairly frightening vulnerability and gives credence to the idea that with great power comes great responsibility. So, database reset. Let’s say you have a new WordPress site, and you’re playing with the site design and the site content, and somewhere along the way you decide to scrap everything and start from scratch. Now, this plugin does just that. It can be quite helpful in the early development of your site, however, when left unsecured, these functions allow any attacker to wipe out the contents of your site’s database without being authenticated, meaning without being logged in. An attacker could also delete all users and make themselves an administrator if you have the functionality to allow site visitors to add themselves at subscriber level. There’s a video on the blog post that goes along with this research that shows how easily this was exploited, and we recommend watching this. I think that’s also on our YouTube channel.

Our friends at WebARX Security found a couple of vulnerabilities in both the Infinite WP Client and the WP Time Capsule plugins, allowing attackers to log in to WordPress administrator accounts without a password. Time capsule had an installation base of 20,000 WordPress sites, but the infinite WP Client plugin is installed on over 300,000 WordPress sites. As we do with all incoming vulnerability reports, we verify that the Wordfence firewall is protecting customers. And with the infinite WP Client plugin, we found that the only way to really protect Wordfence users was to make actual changes to the Wordfence plugin to keep your WordPress site safe. Matt Barry, the Wordfence lead developer who wrote the firewall protecting your sites, took leadership in our organization to make sure that these changes made it to customer sites immediately. Normally, we push firewall rules to our premium customers immediately, and those of our customers still using Wordfence’s free install, receive those rules 30 days later. Due to the severity and large installation base, we decided to protect all of Wordfence users immediately on release.

In monitoring other firewall and security solutions, there were a number of modifications that other vendors had to make in order to protect against exploitation. WebARX had to modify their firewall to protect users and Sucuri. He made the choice to require white listing for any Infinite WP Client activation. So if you’re using infinite WP, which is a site management console where you can authenticate a number of WordPress sites to a centralized management system, and you need to add a new site to your management console, you’ll have to go through an additional step in order to make that authentication work if you’re using a cloud service like that.

One note about cloud firewalls versus endpoint firewalls. Cloud firewalls can be bypassed. In order to use a cloud firewall traffic to your site is sent first to that cloud firewall, which is on a different server than your website, and that request is inspected for malicious patterns before it’s routed to your website. If an attacker can discover your origin IP address, in other words, discover where your site is actually being hosted, they could carefully craft an attack to exploit vulnerabilities, thereby bypassing the cloud firewall. Now, obviously the takeaway with all of these vulnerability reports is to stay on top of your WordPress security, and keep your plugins updated. When a plugin update comes along, it’s important to patch your site as soon as possible.

Another story that’s important for site owners is about same-site cookies. On February 4th, Google Chrome will change the way it identifies cookies without a same-site attribute. With Chrome version 80, any cookie without a same-site attribute will be treated as lax, L-A-X, by Chrome. It’s important to understand because this may cause some issues with user experiences. We need to look at why sites actually use cookies.

Cookies help a web application identify who you are. For example, think about logging into Facebook, or Gmail, or any other website where you have a user account, and you closed down your browser and you come back and open it up, and Gmail still remembers who you are. Without cookies, a website would not be able to tell who you were. Each cookie has key equals a value pairs, along with a number of attributes that control when, and where, and how that cookie is used. So the same-site value, that key, has a value of equal strict, or equal lax, or equal none.

Let’s say you’re logged into Instagram and you’re visiting a cooking blog and you’re looking at the latest and greatest recipe for kale. On the side of that blog post is an Instagram widget with the latest pictures from that site owner. That widget has third-party tracking cookies associated. These are tracking cookies that are associated with Instagram, even though you’re on a third party site. Or if you’re visiting virtually any site, Google is tracking your logged-in Google account and the sites you’re visiting for the purpose of Google Analytics to tell site owners how users are interacting with that site.

Now, with these new changes in Google Chrome 80, cookies without a same-site attribute will be treated as lax. Now, a lax designation will mean that your cookie isn’t sent cross-domain for the riskiest scenario such as HTML post forms, so if you’re submitting a form on a site. Now, if it’s a strict, your cookie is never sent across cross-domains, but if it’s lax, it may with some cases, but not like HTML post forms. Other browsers such as Firefox have same-site attributes available to test as of Firefox 69, and it will make them default behaviors in the future.

Troy Hunt, who is the man who helps keep us all safe with Have I Been Pwned, wrote a blog post recently about promiscuous cookies and their impending death via the same-site policy. He tested this with a number of his sites and he noticed that this kind of gets interesting with enterprise systems. He stated that: “enterprise IT administrators may need to implement special policies to temporarily revert Chrome browser to legacy behavior if some services such as single sign on or internal applications aren’t ready for this launch on February 4th.” We will have his blog posts linked.

Now, what does this change mean for WordPress? With that vulnerability that Chloe discovered, the cross site request forgery, these risks within web applications including WordPress, will start to go away. This is a welcome change, but it will be important to ensure that your site, WordPress or otherwise, is ready for these new changes. Thanks for listening to the news. If you have any comments, we would love to hear from you. If there is a story you think that we should cover, send it to press AT wordfence dot com or kathy AT wordfence dot com. I’ll make sure that we take a deep dive and look at the stories that are most important to you. Thanks for listening, and we’ll talk to Chloe next.

Kathy Zant:
Hi everyone. I am here with Chloe Chamberland one of our Wordfence’s threat analysts. Chloe, how long have you been with Wordfence?

Chloe Chamberland:
A little under three years now.

Kathy:
Okay. You started out in customer service?

Chloe:
Yes, I was doing mostly billing and presales questions.

Kathy:
I remember those days. You were still in college at the time?

Chloe:
Yep. Yeah.

Kathy:
You’re only working part time, and you didn’t want to get into security, did you?

Chloe:
Nope. I had zero interest. Both my parents are actually in security, so I’d always see them on the computer finagling with code and stuff. I’d always be like, “That’s not for me. That’s going to be way too hard, and I am not going to be able to handle that.”

Kathy:
What changed?

Chloe:
I started at Wordfence. Here, we’re actually given the opportunity to pursue certifications. I wanted to tackle that immediately because I love learning. I started out with the A+ certification. I was going through the material and everything and it honestly was really boring. Eventually, I noticed one of my coworkers was getting the Security+, and so I went and looked at that material and I took a practice test. This was maybe eight months after I had been working with Wordfence and I found that I actually did surprisingly well on the practice test, just from picking up stuff at the company. And so, I was like, “Okay, I’m going to give Security+ a shot.” Then when I took that exam and I studied for the material and everything, I was like, “Wow, this stuff’s actually really interesting and it’s not as complicated as it looks.” That’s kind of where my security start began.

Kathy:
Wow. That’s interesting. Now, your major in college was what, psychology?

Chloe:
Yep. With a minor in business and a minor in geography.

Kathy:
Now, I think there’s definitely a mindset to being a hacker. Do you think your psychology education helps you understand hackers more and security?

Chloe:
Yeah, certainly. I feel like with psychology, your understanding of the mind works and I like seeing things from different perspectives and trying to help others in different ways. I feel like the hacker mindset is very similar in the sense that you need to understand how different things may work, or react, or how the brain might function differently. A piece of code is the same way.

Kathy:
Brilliant. Now, how many credentials do you have now? Because you kind of got bit by that bug of taking that Security+ test, but you didn’t stop there, did you?

Chloe:
No, I actually really enjoy getting certifications. It’s really fun for me, so I have seven right now under my belt.

Kathy:
That’s crazy. I don’t think anybody at Wordfence has more than you. I think you’re leading the pack, aren’t you?

Chloe:
I think so.

Kathy:
Yeah. You have that mind of really being able to tackle those tests. I think that’s so cool. Now, after you started doing customer service, you moved over and started working with customers with hacked sites. What was that like?

Chloe:
That was fun. It was always different every day. I feel like I got another side of security, so I got to see logs, and I got to see malware actually infecting sites, and I was also helping customers, and they were always really grateful for the work that we did and how we were able to help them recover their site. That was probably one of the best parts about doing that job was being able to help customers in need.

Kathy:
Isn’t that the best when you get somebody in and they’re kind of freaked out that their site is hacked, and then by the end of it, they’re so grateful, aren’t they?

Chloe:
Yeah, exactly. That was a great feeling to have every day.

Kathy:
Yeah, totally. Now, were you cleaning hacked sites from … because I know you and Tyler travel a lot, don’t you?

Chloe:
Yeah.

Kathy:
And you travel and work at the same time, which is kind of what you’re talking about at WordCamp Phoenix, right?

Chloe:
Yep, exactly.

Kathy:
What’s your talk entitled?

Chloe:
How to Succeed Working Remotely as a Nomad.

Kathy:
Yeah. I know that was one of the top rated. Like, everybody’s like, “I want to hear this talk. This sounds fascinating.” How’s prep for that talk coming?

Chloe:
Good. I’m trying to incorporate a lot of photos to hopefully show people what it might look like traveling. I’m going to show some of the greater sides of things and some of the not so great things. It’s not always 100% perfect or easy, but it’s definitely worth it.

Kathy:
I know you’re in Alaska right now.

Chloe:
Yes, I am.

Kathy:
How is that?

Chloe:
It is amazing. I’ve seen a moose already. I’ve been here three days. That was one of the top things on my list was to see a moose and I got to do it. Then my second thing was to see the Aurora Borealis, which I actually got to see last night. We took SUSVs, up to a [place], it’s called Charlie’s Dome. I think it’s like a little hill or a mountain. I’m not sure of the exact specifics. But yeah, we took those up to the top of the thing where we stayed. We hung out in a little yurt and went outside every now and then to check on the Aurora, because it was like negative 30F out last night. It was so cold.

Kathy:
Oh my gosh.

Chloe:
Yeah. But it was so worth it. I got some nice photos.

Kathy:
Yeah. You posted some in our little travel channel, so that was really cool to see. We’ll see if maybe we can pull some of those on the podcast show notes so people can see where you’re working. Where here finding all these vulnerabilities and seeing all these amazing sites. Where’s the coolest place that you cleaned a hacked site?

Chloe:
Okay, let me think. Probably on a cruise ship crossing the Atlantic. Or actually, I was a security analyst in Norway, so that would be cruising through the Norwegian fjords. That was pretty awesome.

Kathy:
Are you finding that you’re getting decent bandwidth on cruise ships?

Chloe:
That’s probably the worst place I ever get bandwidth. But for me, it’s worth it. I just account for spending a little bit of extra time each day. You’re kind of on a cruise ship with not that much to do, so it’s not like the end of the world.

Kathy:
Oh, sure. So you might as well just get some work done between the different destinations I guess, huh?

Chloe:
Yeah. Yeah, I actually feel pretty productive when I’m on cruise ships too, even though the wifi isn’t the best.

Kathy:
Is it just because you’re sitting in a cabin and there’s not much else to do?

Chloe:
Yeah, and I think I’ve gotten this mindset on them now, because we do a lot of transatlantic cruises, so they’re like 12 to 14 days. They take you from Florida over to Europe. You end up spending probably 10 of those 14 days at sea, so there’s not much to do besides shows at night and eating. It’s amazing, basically, just working all day eating, and watching some shows.

Kathy:
Wow, that sounds perfect.

Chloe:
Yeah.

Kathy:
You went to China, didn’t you?

Chloe:
Yes, I did.

Kathy:
How was that experience?

Chloe:
It was totally different. It was not what I expected, in a good way. It was just nothing I’ve ever experienced before. That was my first trip to Asia. The food was great. I’ve heard a lot of people saying it wasn’t going to be clean, but it was really nice there. I actually really enjoyed it. I got to go to Shanghai Disneyland, too, which was awesome.

Kathy:
Were their challenges working there?

Chloe:
Yes. The first day I was there, my VPN worked just fine. And I had a weekend. Then I went on a cruise to Japan where my VPN was working, and then I got back into China, and my VPN was no longer working. They probably found it and shut it off, so at that point I ended up taking a few days off. It was luckily over the 4th of July week, so I only had to take a couple of days off.

Kathy:
The great firewall of China got you.

Chloe:
Yeah it did. I probably should’ve done more research.

Kathy:
That’s amazing. I just think it’s so great that you get to, especially at your age, you’re what, 21?

Chloe:
Yeah, 21.

Kathy:
At your age, to have a fascinating job and to travel the world at the same time. I joke with people that I want to be you when I grow up, because you’re just living the life and it’s great. Now, what advice would you give someone who wanted to get into the security field. Especially for women, like younger women, what would you advise them to get started?

Chloe:
Just to get started, I would recommend taking a look at just security basics and seeing what that entails. Because for me for example, I didn’t know it was as simple as it was. Then once you gain just a little bit of experience each time, you’ll slowly start growing and growing into a more rounded off security professional. If you just start at the bottom, it’s not that hard. Then you just keep learning, and learning, and learning and then soon you’re going to be at a point where you’re like, “Whoa. I’m a security professional, and I have all this knowledge that I never thought was possible.”

Kathy:
I think a lot of people think, “Oh, I have to become, “security professional,” and it seems daunting. It seems like too big of a task. But everybody starts somewhere, don’t they?

Chloe:
Exactly. Yeah.

Kathy:
Yeah. You started somewhere and you just … You have this mindset of, like when we were at WordCamp US and I saw that opportunity of the Unconference, and I know you like speaking and sharing your knowledge, and I just pointed it out to you. You just, you did it. You pitched a talk, and you got selected and you just took the opportunity, you identified an opportunity, and went for it. Not everybody does that. I think that’s really neat. It’s great to watch you do that. What is it about you that gets you to the point where you see opportunities and take them? That may be a loaded question.

Chloe:
I really love challenges. I just love challenging myself. And so, I feel like there’s two ways it can go. You can succeed or you can just learn from any mistakes that might’ve happened. Either, way it’s a win-win. Challenges might be scary, they might be terrifying and in bad situations, but the only thing that’s going to result in it is that you’re going to learn. I just like to tackle as many challenges as I possibly can.

Kathy:
Well, it’s definitely paying off for you. And now you’re… what was it, like last summer, you started doing threat analysis? How did you get started doing that?

Chloe:
I started in August. I had just gotten my PenTest+ certification and I sat down with Mark, our CEO, and he’s like, “What do you want to do?” I said, “Something around pentesting maybe, because it’s really challenging, it’s always going to be different.” He suggested this threat intelligence role. I was honestly mortified at the time. I didn’t think it was possible, again, but I took the challenge and now I have found the specialty that I want to continue pursuing, and I am in love with it because every day is definitely a challenge. You’re also helping people with implementing security things and I’m learning every single day, so it’s definitely a dream role.

Kathy:
Now to me, it seems like something that’s like a big daunting, that’s a challenging job. I don’t know if I could do that. Cleaning hacked sites, I love doing that for a lot of the same reasons you had described, but the threat analyst role, that’s a lot of research, and that’s a lot of unknowns, and and a lot of challenges. Is it getting easier?

Chloe:
Yeah. I think every day I learn something new, so I think it’s getting a little bit easier and easier. I don’t know if it’ll ever be 100% easy because it’s always going to be a challenge, but it’s definitely getting more comfortable. Yeah.

Kathy:
You’ve been on fire finding some of these vulnerabilities in plugins lately. What’s been the scariest one you found?

Chloe:
So far, The scariest one I found was a privilege escalation vulnerability that all you had to do is just send a little query with a couple of parameters and you were suddenly escalated into administrator. That’s a pretty scary one.

Kathy:
Yeah, that does sound really scary. How do plugin developers respond when you contact them when you find these types of vulnerabilities?

Chloe:
They’re usually really grateful. They’re like, “Oh my gosh, thank you so much,” and then they go ahead and get a fix out immediately. They’re usually really, really positive and happy that we are there helping them catch things that they might not have seen.

Kathy:
Yeah. I know you’ve felt pretty grateful in being able to help customers. Do you get that same vibe when working with plugin authors?

Chloe:
Yeah, definitely.

Kathy:
Yeah. You’re definitely helping them with their coding practices and their business, too. You just published earlier today Code Snippets, which has over 200,000 installations. You found a vulnerability there. Can you give us a little highlight on that?

Chloe:
Yeah. I found a cross-site request forgery to remote code execution vulnerability in that plugin. It basically means that if, as a user, you could possibly be tricked into clicking on a link or an attachment of some sort and another site can send to you a forged request on your behalf, and ultimately infect your site and could possibly take it over. With the exploit shown in the post, I injected code that created an administrative user. So, if this vulnerability was exploited on a vulnerable site, you could have your site taken over by an attacker through an administrative account.

Kathy:
Now, when you found that vulnerability, was that the worst-case scenario? Is that what you envisioned how it could be exploited?

Chloe:
At the start?

Kathy:
Yeah, when you first found it.

Chloe:
When I first found it, I just found that it was cross site request forgery, so it was kind of not worst case scenario yet. Then I found that you could imports code snippets, but I found that it was disabled upon import. And was like, “Okay, this is fine.” Then I was like, “Okay, there’s possibly other ways that this could go wrong.” That’s when I took it a step further, and I found that you could add the active flag to the import and that would activate the code snippet upon import, even though it should have been disabled, and any imported code snippets as a result of the cross site request forgery would execute on the site.

Kathy:
So you didn’t stop at, “Okay, this is the vulnerability.” You had to sort of push the envelope and push it to worst case scenarios. It wasn’t immediately apparent, huh?

Chloe:
Yeah. That’s one of the fun things is you’ll find one little hole and then you can kind of see where it goes from there and try and push the boundaries to see what you find.

Kathy:
That’s the mindset of a hacker, isn’t it?

Chloe:
Yeah.

Kathy:
It’s got to be a hacker to stay safe from hackers. What is your favorite part of your job?

Chloe:
The fact that it’s challenging. I love being able to learn something new every day. Security is a very rapidly changing field, everything’s going to be different, and things change all the time. I’m in a field where I can continuously learn and I don’t think there’s ever going to be a moment where there isn’t something new that I can discover and learn more about.

Kathy:
That’s great. That’s one of the things I love about security, too, is that you’re never going to get bored here, are you?

Chloe:
Nope.

Kathy:
Always something new. The WordPress community is pretty diverse and pretty welcoming. You’ve done a lot of talks. Where are some of the WordCamps that you’ve spoken at?

Chloe:
I’ve spoken at Miami, New York twice, Vancouver. I want to say there was one more. Yes, North Carolina?

Kathy:
Oh, Raleigh, yeah.

Chloe:
Raleigh.

Kathy:
Do you like going? Do you like speaking at WordCamps?

Chloe:
Yeah, I do. I love being able to share my knowledge with people that may have been in my position just a few years ago. One time, I actually went to a WordCamp. It was WordCamp Raleigh. I gave a talk about passwords. At the end of the talk, I sat down and talked with these two ladies. One of them was like, “I’m interested in security, but I don’t really know where to start and I don’t know what I should do.” I sat down and talked to her and I kind of told her where I began. At the end of our conversation, she was like, “Okay, I’m going to do it. I’m going to go, and sit down, and read some more about it, and maybe get my Security+.” I thought that was really, really cool. That’s the reason I like going to speak is because hopefully I can inspire others and share my knowledge.

Kathy:
That’s really great. You’re speaking at Phoenix coming up, and I’m sure there’ll people will be able to see you at a local WordCamp sometime over 2020. Where can people find you online?

Chloe:
You can find me on Twitter @infosecchloe. that’s it.

Kathy:
Yeah, and on our blog, like every week.

Chloe:
Yeah. There, too.

Kathy:
Like, very regularly. Do you have more vulnerabilities that you’re researching now?

Chloe:
Yes, I do. I have some stuff in the works, and hopefully we’ll be getting those patched up. I’m working with the developers right now.

Kathy:
Well, thank you Chloe for joining me today and taking time away from the adventures in Alaska. We will see you in Phoenix in a few weeks. Oh my gosh, it’s next week, isn’t it?

Chloe:
Yes.

Kathy:
Yeah, I should be on that. I don’t realize how close it is. I am so happy that we get to see you and so happy I get to work with you and see you just really knock them out of the park. It’s been a pleasure. Thank you, Chloe.

Chloe:
Thank you, Kathy. Thank you for having me.

Kathy:
We hope you enjoyed this episode of Think Like a Hacker. If you’re listening on Apple Podcasts, please leave us a review or rating and let us know how we’re doing. You can reach me on Twitter @kathyzant. You can find Chloe at @infosecchloe. Links to our Twitter accounts are in the show notes. Definitely visit the show notes and take a look at the research posts linked there. I think you will find interesting information about some of the research we’ve done and that others are doing. We will talk to you next time on Think Like a Hacker. Thanks for listening.