Avoiding Digital Doomsday

Maryland Management Co.’s Bill Szczytko weighs in on doing business online.

BillSzczytko thumbnailBill Szczytko is the kind of multifamily industry veteran whose job description can’t be pigeonholed into one department. With an interest in marketing, job title based in IT, a strong grasp of social media and a passion for real-life residents, Szczytko has earned a following as someone who can be counted on to deliver prescient insight about apartment management. His network of contacts in the industry is nationwide, and he effectively uses Twitter to gain a grasp of what fellow multifamily professionals are talking about this very minute. He appeared at the 2014 Apartment Internet Marketing conference in Huntington Beach, Calif., where he talked about avoiding landmines while doing business online. He shared additional insights into what those landmines look like in a recent interview with MHN Contributing Editor Leah Etling.

What are the most worrisome threats that multifamily firms might face from hacking?

The most worrisome threat we face is our own complacency. Hackers want one thing. Information. This information can be social security numbers, credit card numbers and bank account information. Some try to obtain this information for the fun of it, but most use this information to make money. There are many ways they try to get it. Viruses, phishing schemes, brunt force attacks, and hacking weak user account information. Most threats can be avoided just by being smart about how you surf the Internet and the kinds of passwords you create.

What best practices are necessary for a company seeking to protect itself in the online realm?

It’s essential that you have several things in place. First, is a password policy that walks a good line between passwords people can remember and security. Second, is a form of antivirus running on the company machines. The best antivirus is always you, but it’s hard to get people up to the same level in regards to what is dangerous online and what isn’t. Antivirus at least gives you a pretty good shield. Third, make sure you have a policy in place when employees leave. You have to make sure their user accounts are disabled. Also, if an employee leaves who helped you with your social media, make sure you change the passwords for that too. You don’t want a possible disgruntled employee swinging away at you, as you.

What viruses should we be concerned about?

There are two for Windows that are genuinely nasty. One is any of the fake antivirus ones. Perhaps you’ve visited a site that all of a sudden “scans” your computer and reports how many Trojans and Viruses you have installed. Websites can’t scan your computer for viruses without your telling them to. These are scams, designed to get you to install it, then pay money to the virus writers to remove it. The other really bad one these days is Cryptolocker Ransomware. If you haven’t heard of this you need to research it and learn more about it. It’s probably the worst virus I have ever seen in my 30 years on the computer. Most viruses can be removed with professional assistance. Cryptolocker can also be removed with professional assistance but it goes one nasty step further. This virus actually encrypts, not just all of your local files, but also network ones as well. Then it uploads the key used to encrypt it to the hackers’ servers. In order for you to get your files back, you will have to pay upwards of $700. There are no cracks or antivirus removal tools to undo the encryption. You either pay or lose your files. Very dangerous stuff. Also, don’t be Apple arrogant; you can get viruses too, especially from unpatched versions of Java.

Has Heartbleed affected the apartment industry?

I asked around the industry and got very good responses. Yardi and RentLinx were never affected. Other vendors patched their servers and are fine now but they recommend that you change your passwords. Heartbleed is a really difficult vulnerability because you don’t know if anything was actually taken over the two years that it’s been in the wild. The hack was completely untraceable. After a site that you use has patched the vulnerability, (use this site to check) make sure you change your password. Better safe than sorry.

How about more “old-fashioned” scams like phishing?

Sometimes, something old fashioned still works well. Recently we received a massive amount of emails from one vendor who had installed a virus on their computer. This email contained a few lines of text and a link to a site. This site, if you looked closely at the URL, was NOT Google but if you went there it looked like a Google login page. The hackers wanted your account information. Phishing scams work because people do not pay attention to the URL structure. If you mouse over a link, your browser window will tell you where that link is pointing to (usually in the lower left corner). Make sure it’s going to where you think it should. For instance, if the email is purported to be from Bank of America make sure the domain in the URL is Bank of America’s!

Are there any concerns around domain name security?

Always. It all goes back to being smart about what passwords you use and who you give your information out to. If your site receives decent traffic and a hacker has access to your DNS records, it’s easy for them to point your domain somewhere else. Typically this somewhere else could be a porn site, spam link site, or a site that hosts viruses. Another little known thing is typosquatting. Typosquatting is where spammers will register misspellings of popular domain names. An example of this would be goole.com instead of Google. People misspell all the time. The thought is, when you do it, it will take you someplace you aren’t expecting. Make sure you’re checking your URLs! There’s a great website where you can see how many spammers are typosquatting around your own domains.

Changing passwords is a pain. Is it necessary?

It is both. People shouldn’t share their password but I know it happens. You probably forgot that you did. Changing passwords cleans the slate. If a hacker has figured your password out, changing it will negate it. It is a pain though. We’re human beings. I can hardly remember what I did yesterday. The best passwords to use are at least eight characters long, not based on a dictionary word, are significantly different than your last, and contains characters from each of the four types: uppercase letter, lowercase letters, numbers and a symbol. If you follow these guidelines, your password will be unbreakable. The best advice is to not use the same password across all of your sites. What I like to do is memorize three different passwords and then create variations on those passwords using the same set of characters. It gives me the variety I need without overtaxing my brain too much. Doesn’t mean I don’t use the Forgot Password links from time to time. Strong passwords are a frustrating but a necessary thing.