Best Practices in Cybersecurity with Moshe the Chief Geek

Julia: Welcome, everybody to another episode of Connect the Knox. I’m your host, Julia Hurley, connecting Knoxville to the nation. One of our guests has been a friend of mine for a long time, out of Columbus, Ohio, and I am bringing him on at my request, simply because we had an incident that happened in my real estate company and he is one of the top consultants for cyber security that I have ever met. Everybody, please welcome Moshe out of Columbus, Ohio. Thank you for coming on the show today.

Moshe: Thank you for having me, Julia.

Julia: Absolutely. Can you tell us a little bit about what you do? And then I think after that, I will talk a little bit about that situation and your recommendations for people in general.

Moshe: Yeah, so my background is very often going and helping businesses, small to medium size, anywhere from, we’re talking mom-and-pop to businesses as large as 400-plus employees, and giving appropriate recommendations for their entire networks, from day-to-day operations, just getting, you know, everything done so, “Hey, we can do our job and we can get the bills paid,” to, “Let’s protect our stuff so the money that we’ve now attained isn’t stolen.” Because one unfortunate statistic, I believe, if the numbers—what is it—60% of businesses that get hit with a cybersecurity attack close their doors within six months. Yeah.

Julia: That’s wi—I don’t even know how to respond to that. Just wow, I guess. So, tell us a little bit about what cybersecurity—what we hear, you know, what us lay people here, like, on Twitter or Instagram or whatever, it’s like, oh, hey, make sure you use a Gmail account and have two-factor auth—you know, authorization or whatever. What is that? That doesn’t do anything.

Moshe: Well, the thing about cybersecurity is, like, if you’ve ever seen the movie Shrek when he’s talking about ogres are like onions, where it’s about layers, the same thing is with cybersecurity: it’s about having layers of security. So, when people say, “Well, you seem, like, a little bit paranoid,” most of the people in the cybersecurity field, what’s today’s paranoia becomes tomorrow’s standard because it wasn’t too long ago, where people were saying, “Hey, having an SMS two-factor code is a little bit much.” Now, we’re saying don’t use that at all; it’s insecure. And we’re now moving on to different methods.

The most important thing is to be proactive, not reactive. The honest truth is, by the time you’re reacting to a cyber event, such as the event that happened with you, it’s a little bit too late because the damage is usually done, either reputation, monetary, or infrastructure, there’s so many things that can go on. So, the most important thing is, really, for the average person when we’re talking about this situation, is be mindful of, one, what data you’re putting out there, and two, where you’re putting your data. So, while you know, we may have Gmail out there that is the common one everyone uses, the problem is, if you’re not paying for it, you’re also the product. There’s definitely products, like, I personally use like proton.me, which is based out of Switzerland.

They actually—like, they encrypt the email to the point that if you have to reset your password because you forget it, you will lose all the data you had. They do have a free account that’s, like, 500 megabytes. And you know, that’s a nice way to start because if the infrastructure then gets compromised, your email is then protected. But on top of that, yes, there’s two-factor, there’s also being mindful of what your passwords are, which is why I then tell people you shouldn’t—you know, like, you see on camera, I have this as a joke. It’s a book of internet passwords. This was sent to me by a friend. But the premise is what you want to have, you just shouldn’t have a book. This is a little gag gift—

Julia: Look over this way because we can’t see you. Your camera is in a different position than we are, I think.

Moshe: So—here, let me—but yeah, so the idea is, you do want to have different passwords for everything. So, one thing I recommend is there’s a product called Bitwarden. It is free for personal use; they do have a business version that you can pay for, they have a professional version for personal users you can pay for. And if you’re technically savvy, you can also self-host your own Bitwarden server at no cost. So, there’s many different ways. You’re basically just paying for them to host it for you.

I actually deploy that to many businesses and you can have that to your team and it generates the password for you, so then all you have to remember is the master password. Which these days, you should generally be thinking of a passphrase at least, like, 16 characters. Because the honest truth is, it’s very easy to brute force a lot of these different passwords. And for the love of God, don’t make it things that are very easy, that we can, you know—if somebody wants to target you, for example, one of the easiest ways they will go about, if you—if they’re trying to specifically target you is through phishing is, they’re going to gather your information.

People give a little bit too much info on social media very often, to the point that when we’re talking about cybersecurity, one aspect of it is physical. Don’t post your actual physical key on a picture because the reality is people like me have 3D printers, we can trace that, we can copy that from a picture.

Julia: What are you saying? Don’t post what?

Moshe: Don’t post a picture of your key. Like, your actual, like, your actual physical key. Like imagine you have somebody who is malicious intent, like, a stalker or something like that. So, they’re holding up you know, your key, like, I got my apartment, I got the house. That’s why the first thing you should do whenever you get a house, you get an apartment, change the locks immediately.

And for the love of God, go to an actual locksmith. Don’t get any of these smart locks. I’m an IT guy; I’ve dealt with the smart locks. I will tell you, nine times out of ten, it’s better to have a good lock with a good, you know, what do they call it, like a… there’s a certain pin or whatever they call it that keeps you from picking it that easily. It’s not foolproof, but it’ll give you a little bit of time.

Get yourself a decent alarm system from a local alarm company. I’m telling you, there’s many great ones in every city. I’m pretty sure when I go down to Knoxville, I could probably find a few that I could say, yeah, I’d work with these guys or these guys. Don’t work with these big alarm companies, you know? Like, you probably hear of ADT.

Julia: They are crazy.

Moshe: They are crazy between the contracts and everything. Find a local alarm guy that you can actually take out the coffee that’s in your community. I have one well—I had one unfortunately, Covid, but he was the one that helped me set up my system. And it’s because of him, I got to learn more about how the systems work, which made me more comfortable with it, especially when the business transitioned over to another local security company. But the important part is, like, for example, I had an issue with my alarm system—and this is why I emphasize always working with the local MSP a local security guy—I actually got to hold them accountable for when my alarm didn’t trip, when my dog set it off and we found out, like, a sensor was faulty or something like that.

It was really much easier to deal with him. I got one email off to him, I dealt with him on his cell phone. There wasn’t this, “Oh, let me get my supervisor,” any of that. So, when it comes to cybersecurity, like I said, there’s many different layers to it. We’ve already hit on, like, different points. There’s password managers, there’s email, there’s even, like, being cognizant of what you put on social media.

Julia: So, the instance that happened with my buyers that we posted on TikTok, we had over fi—we had half-a-million likes and over, I don’t know, 300,000 comments. And the conversation basically—

Moshe: That went a lot crazier than when I saw it, then [laugh].

Julia: Yeah, it’s been a lot. And I have personally received about 2000 phone calls and text messages from real estate agents across the country asking me how I got the money back. And I got the money back.

Moshe: You’re luckier than most.

Julia: I am very lucky. We lost—well, ‘we—I didn’t lose anything. So, the buyers lost 10,000 total dollars that had already been transferred out. So, out of $120,000, they got back $110,000 in four weeks. And the work and effort that I had to put in to getting that money back—

Moshe: But that’s also because you were right on it and you probably had still a few things that were just, by the grace of God, in your favor.

Julia: Yeah. And it’s very rare that that happens. But what had happened is that somebody’s email got phished. And because I use the product that you talked about, I know it wasn’t me. And the lending company has financial information and their IT department confirmed a hundred percent in writing that it wasn’t them.

And both of my buyers, which I have permission to disclose, worked for Oak Ridge National Lab. So, that is a government-led facility, and we know that their emails were not compromised. So, that left one particular company that was involved in this whole situation, unfortunately, somewhere got phished. And so, the email that was sent out to the buyers only had this particular company on, it didn’t have me, it didn’t have the lender, it didn’t have the other realtor, it didn’t have the builder, it was just from this company to the buyer that said, “Hey, here’s your wire transfer. Wire this money to this account.” And even though my buyers are savvy people, they just did it.

Moshe: So, just for clarification, was the email that was actually sent, was it from their domain that they had—

Julia: Yeah.

Moshe: Oh, so they had a business email compromise. Okay. So, probably what had happened was there’s multiple factors that go into this. Again, I don’t know the environment, so I’m just going off of my experience.

Julia: Well, here’s the situation. So, they did it and they didn’t tell anybody. I literally talked with my clients every single day and they didn’t tell anybody they did it. I talked to them for three straight days, did not tell anybody that they had done it. We get to the closing table, obviously asking where their money is, and they’re like, “We wired it.” Everybody’s floored. Everybody’s is floored.

It was like, “You did what now?” When did you do that? [unintelligible 00:10:19] from the email. And I mean, there’s a wire—let me tell you, as a real estate agent in Tennessee, we are legally required to do the wire fraud form. It’s three pages. I read all of my documents to my clients.

Basically, our disclosure says, don’t wire your money unless you call, don’t wire money unless your real estate agent calls you, or your banker company—it’s very specific, don’t do this. And I don’t know how that—I just don’t know if they were just caught—I don’t know, but it got done. So, their money was gone from Bank of America to Regions Bank. It was the day before Thanksgiving. Thank God it was a holiday because Bank of America usually just says, “Here’s the wire [unintelligible 00:10:56].” Regions is a local company—I mean their national, but there’s a lot of them locally here.

And the effort that we have all made in the last four weeks to get that money back. And so, many people on that TikTok video, I mean, hundreds of thousands of people have commented on that, half a million people in the country. And a lot of them were like, “This is an inside job. Somebody got hacked. This is a phishing scam.”

How can you protect this? And so, real estate agents do use Gmail, AOL, Hotmail, which I see all the bleeping time, please don’t do this. And so, that’s why I wanted to have this conversation with you is, can you please give the best advice for real estate agents and consumers who are not savvy, how to use the correct email addresses, where protect those email addresses, and what to do?

Moshe: Yeah, so from a personal standpoint, I talk about proton.me. From a professional standpoint, I recommend Microsoft Office 365. The reason why is with real estate agents, it’s mostly about compliance. And Microsoft has the mechanisms inside of 365—to be specific because I know it gets confusing, there’s a personal 365 and there’s a business 365; I’m talking about business 365, not personal 365—that’s the one that constantly $6 per user per license—I mean per month—and it goes up to—you got—then there’s Microsoft 365, which I’ll get into that in a little bit. They have the naming confusing, but we’ll get into that. 365 basically—

Julia: Yeah, Microsoft’s not an easy product to understand.

Moshe: And this is why you need to have a partner in IT. The term you’re going to mostly find when you’re a real estate agent is called a managed service provider or what’s also revolving now into a managed security service provider. If you’re dealing with insurance, which is one thing a lot of real estate and other businesses don’t know, typical business insurance does not cover cyber. Cyber liability is a whole different policy. So ransomware, things like that, does not fall under business.

If you get your—I think most business policies I looked at, when you look at the electronics and all that, they cover, like, 10, $20,000 overall. It’s like, you will be—that’s why a lot of businesses close their doors. And then cyber liability insurance, they have been really, really cracking the whip on businesses to get the cyber liability insurance, that they actually want to talk to the IT companies, understand what your response plan and everything is because cyber liability insurance doesn’t just include, oh, you know, if you know the money is covered by ransom. No. It covers the legal side of things when you have to deal with the lawyers and everything to deal with the state response depending on, you know, what goes on, it also has to deal with the PR that’s going on with there, the notification, the response to all the people that were affected, the forensic analysis of everything, the rebuild, and the replacement of any hardware and/or software.

And the reality is most businesses, I’m not going to joke with you, from an honest experience when it comes to real estate and most small businesses, when I come in, they are miserably failing in the cybersecurity aspect, to the point that they are… they’re basically just on borrowed time. And there seems to be this very bad mentality where… I don’t know if you can call it [hippy or that 00:14:19] where it’s like, if I don’t put bad energy out into the world, it’s not going to come seek me. Well, the reality is, most of these attacks are automated and they’re merely just looking for the lowest-hanging fruit. I can pull up my firewall over here, you’ve seen my videos, where it’s like, what the heck does this guy have hosted? And I’m like, “Oh, this is just running my little things, like, there’s nothing major,” and I’m getting hit by tons of things.

Julia: So, as a real estate agent who is on average, 60 years old, okay, so let’s just be honest, the real estate agent industry is aging, just, like, the rest of the country is aging, proton.me—right—proton.me is a really good start for them.

Moshe: Yeah. It’s a great start. But if you’re in real estate, seek out a local provider that’s a managed service provider. You want to find—the honest truth is you don’t want to go with a one-man shop. You want to find somebody that has a team [audio sync problem 00:15:12] bond.

Julia: We all know that real estate is location, location, location. Our team at Just Homes Group Realty Executives have the true expertise, pairing buyers and sellers with the right opportunities. Whether you’re looking to buy or sell a home right here in Knoxville, Lenoir City, Clinton, or Farragut, we have the expertise throughout every Knoxville surrounding area. Call just Homes Group Realty Executives today.

Julia: You legally have to be under a broker, so the broker has to be protected as well. Let’s say, for example, you know, Realty Executives—which is who I’m with—Realty Executives is—you can get their service, it could be your-name@realtyexecutives.com. I have protected email. I have my own stuff, but I have an entire department for me that runs my stuff because I’m three businesses hidden under this one corporation name. But not every real estate agent has the ability or financial ability to do that. As an individual, what’s their best option?

Moshe: As an individual—well, if you’re just an individual and you’re not running it as a business yet proton.me, two-factor email, checking the headers of the email, which basically just means rather than just saying like, okay, Julia sent me an email, expand the email; is that her actual email? Is that the one that she normally sends from? And when I say pay attention, is that an I or an l?

Julia: Because the email that my buyers received was, this business name dot cam—C-A-M.

Moshe: Yeah. There’s just so you know, there’s businesses out there like Markmonitor and such that big companies spend tens of thousands of dollars a month for that literally, all they do is they just try to find domains that possibly could be used to phish and buy them proactively for clients. Like, that’s how serious the phishing problem is. And for businesses, I mean, there’s really no way around it; you need to get an IT, whether it be in-house if you’re large enough and you can afford that—generally, I don’t recommend that until you have like at least 50, you know, employees to cover that—there are some real estate agencies that are that big, some, you know, that they work better with what’s called a managed service provider, where they become the IT department for a contract; you get a few people, it cost you less than hiring a person.

Julia: Well, a lot of the bigger firms have it. What we’re finding is that a lot of the real estate agents want to use their personal email. They want to make one up.

Moshe: Don’t do that.

Julia: I cannot stress that enough. Every time I see a real estate agent in RMLS with their name at AOL, or their name.realtor@gmail.com, it’s—Gmail is good, don’t get me wrong, but they have just recently incorporated two-factor authenti—I mean just.

Moshe: Gmail has had it for a few years. There’s other issues with just how Gmail handles things. But regardless of that, don’t use AOL, period. Don’t use Yahoo, period. Hotmail because it’s Microsoft, it’s kind of a weird thing. Your grandf—you’re, like, on the Microsoft Office ecosystem, but not. You know, proton.me is free.

But the biggest suggestion I have for anybody—and I do this for myself—I have a personal email, I have the [chiefgyk3d 00:18:32] email that you know, I have the email that I get from whatever my job is. You know, I keep everything separate because people only need to know what they need to know. And then there’s extensions like SimpleLogin that if you pay for proton.me for, you know, the paid-for plans it comes with, and it allows you to actually make alias emails so that it just forwards to your email and then they just have a dummy one in there.

Because the thing is, you sign up to all these newsletters, you sign up to all these places with your email. They have your information. That goes out there somewhere. It gets leaked or breached or sold or something like that. That’s compiled in some database somewhere, that’s how they hit you with all these phishing emails.

Like, if you’re in—a lot of people, like for example, aren’t familiar with cryptocurrency, but there was a big, you know, compromise a few years ago with one of the vendors for cryptocurrency. The only thing of mine that got leaked was my email, nothing, you know, too vital, but ever since, I’ve gotten cryptocurrency-related phishing emails because of that breach. And that’s where a lot of these attacks come from is they’re just looking for different things. So, for personal use, I cannot stress enough have different emails, don’t use the same passwords for them. And you—

Julia: And get a password book.

Moshe: [laugh]. Well, Bitwarden specifically is the one I would recommend but yes. And, you know, Bitwarden is really inexpensive for families. I think they have, like, a plan for $8 a month for five people or something like that. I’m not affiliated with them. I just like their product. But at the end of the day, they’re looking for those [unintelligible 00:20:01]

Julia: And what would that be? Let’s just say for example, grandma wants to set up an account so she can open her Facebook, so she can open a—it’s just to stay in touch with the family. So, explain it.

Moshe: Well, with Facebook, there’s their own little things. Like, one, grandma has to know not to put too much out about the family. If she puts photos out, be careful of what’s in the photo because you would not be—you would be surprised how many times there has been mortgage fraud and things like that related to documents that were out in the open and people weren’t paying attention. Or, you know, people showing off their tax refunds not realizing, hey, there’s your social right there. You know, like, you see it all the time.

Julia: That’s [laugh] [unintelligible 00:20:42] do this. That’s hilarious—it’s not hilarious. But it’s hilarious that these things, this is just not something that we talk about. It’s not something that my age group grew up with. We didn’t have this kind of stuff. I had a cell phone that weighed ten pounds in the car and only worked after 9 pm.

Moshe: Well, I’m a ’90s kid. I mean, when we took photos, we took photos for us. And it’s a weird concept for a lot of people to understand that when you put something on the internet, it’s not there just for you.

Julia: It’s out there for the world.

Moshe: Yeah. And at the end of the day, the cloud is just another person’s computer. That is what you kind of have to understand. I’m oversimplifying it, but—excuse me—at the end of the day, it’s your data on their infrastructure, so you got to be mindful of that. Like, there was the iCloud leak a while ago with a lot of the celebrities. That happened; they had their data up there.

I’m not going to comment whether they should or shouldn’t, you know, be doing that thing; that’s, you know, everyone’s personal decision, but the fact is, their data was up there, and the risk is, because it was up there, people could have access to it. And that’s all I’m saying at the end of the day, is about having layers. In the case of the iCloud thing, I believe a lot of them didn’t have two-factor enabled. So, two-factor I—for many people that aren’t aware, basically just means when you type in your password, it’s just going to ask for another factor of verification. So—

Julia: Oh, and just for a quick reminder for anybody who finds themselves in the same situation I did, I got Google Authenticator and I loved it. Except when I got a new iPhone and I was unaware that I needed to not erase the first phone first and then send it back I needed to have started the second phone, taken a photo of the first Google Authenticator, and put it on the second phone. Because now I can’t log in on my desktop to—on my desktop only, thank God, because my phone has my facial login and a whole different set of logins—but on my desktop it asks me for the Google authentication six-digit and I can’t get it because I can no longer log into Google Authenticator on my new cell phone because I did not take a picture of the first one from the old cell phone which was then completely erased; that information is gone. And I think that is something that people need to understand. Once it’s gone, it’s gone.

Moshe: And that’s one reason why I like Bitwarden a little bit better because you can put that two-factor code—or TOTP; timed one-time passcode—in Bitwarden. Now, there’s a whole ‘nother discussion if you want to keep the TOTP in the same place as your passwords. That’s a whole other debate. You can get into, you know, making your own databases all that, but the basic knowledge is that you should have two-factor.

And that’s actually what I have in my hand. These are Yubico YubiKeys. These are just—full disclaimer, yes I am affiliated with them, but they’re like an industry-standard in IT now. Like, every IT person is going to go, “Oh yeah, YubiKey.”

Julia: What is it?

Moshe: These are YubiKeys.

Julia: YUb—spell it.

Moshe: They are made by Yubico. Y-U-B-I-C-O. They’re called YubiKeys. They are hardware security keys. I got a bunch of them because, you know, I’m affiliated so they give me a bunch. But every one is unique.

Now, when I say they’re unique, the new standard is that instead of that one-time passcode, each key is unique to the point that I have to register it and then I actually have to physically press—there’s a little copper contact there—to actually let me in. So, you have to have physical access to this key. If I lose it or it breaks, I’m SOL, which is why I have several for backup. The other thing is this can store 32 of those TOTP like the Google authenticators—

Julia: Is that [unintelligible 00:24:36] a USB port or phone?

Moshe: Yep. So this is the YubiKey 5C. So, this is NFC plus a little USB-C. This is the 5Ci, so it’s a lightning connector for iPhone as well as USB-C. And then this is just the regular plain old USB plus NFC. And then I actually have another version I was playing with over here. This is their PhytoKey, that’s Yubico Bio, which is actually it’s—camera doesn’t like it because it’s all black, but it’s got a fingerprint reader on it, so I can actually tie it to my fingerprint to actually log in. So, rather than just having this and then tap, it actually has to be my finger.

Julia: That would be my preference.

Moshe: So, there’s many different ways. Plus, Microsoft and Apple are introducing new requirements for logging in. There eventually—Apple wants to actually have two-factor hardware security keys like this, but they’re actually going to be adding it into the hardware, both Microsoft and Apple. So essentially—

Julia: So, our iPhones would now be $7,000 [laugh].

Moshe: No. It’s going to just basically have the ability for you to take a biometric or something so that way, we can have more secure ways to log into our actual computers. Because, you know, a password is so easy to get into a device. And, you know, that’s one of the things that also a lot of these people, as real estate agents, have to be aware of is, you know, your device security, operational security with your devices, you’re going around, how valuable is the data on your phone, how compartmentalized that data, and if God forbid, your phone or your laptop or something is lost—because most of the computers that you buy—if they’re Windows, they don’t have a feature called BitLocker enabled unless you turn it on which, it encrypts the entire laptop. Which means even without the password of the laptop, I could still just pull the hard drive out, literally just open it up, take the hard drive out, shove it in one of my computers, and I got access to all your documents without any effort.

So, you got to think about if you have a malicious employee, things like that. And this is why we, you know, say we recommend businesses work with managed service providers or have IT: because they need these IT policies and compliance because there’s a lot to get into.

Julia: Let’s recap. Real estate agents, individuals, small businesses under 50, what was it? What do you recommend?

Moshe: For businesses, definitely look into hardware security keys, like, the YubiKey. For general for businesses, I would say, Microsoft Office 365 for your email infrastructure and an MSP. For an individual, maybe proton.me. Definitely two-factor for everybody, whether it be for business, a YubiKey, or the two-factor.

There is Microsoft authenticator, there is Authy, there’s Google Authenticator, there’s several that are great out there. A password manager, of course, whether your business or personal. I like Bitwarden. That’s what I would definitely recommend. Be mindful of also what you put out on social media. Read every email, so don’t trust everything you see. Just because it comes into your inbox doesn’t mean it’s actually, you know, something you should click on. And when in doubt, don’t do it. That would be my general advice.

Julia: —[unintelligible 00:28:02] like a scam, it’s probably a scam. It’s the best advice, like, when you get that pit-in-your-stomach feeling you know it’s wrong, listen to that feeling.

Moshe: Yeah. And like, when I said when in doubt, don’t do it. If you don’t know what you’re doing or anything, don’t click on a link because there’s so many things that can, you know, they can just hijack with a click to open up. Just the best thing to do is when in doubt, call. So, like, even, for example, I once in a while get the, you know, false fraud attempts, where it’s like, “Your credit cards been compromised,” and they’re calling to, you know, actually, you know, defraud you, don’t answer that call. Hang up.

Julia: And then call the credit card company.

Moshe: Call the credit card company and ask, “What’s up?” Go in to the bank. Don’t, you know, deal with anybody on the phone. Microsoft will never call you, unless you’re in an IT business and there’s an audit, but that’s a different issue [laugh].

Julia: [laugh]. You have to go to the offices in Austin and wait outside [laugh]. Anyway. All right, less than 30 seconds. I really appreciate your time today. I want to make sure to put all of the links of all the products that you’re talking about, so please send those to me individually. I will add those to this. Thank you for taking time out of your day to help people understand how to protect themselves and their clients.

Moshe: Well, it’s been my pleasure.

Julia: Guys thank you for Connecting the Knox, connecting Knoxville to the nation. And thank you sponsors for sponsoring our channel today. And if that YubiKey people, we may hit them up for sponsorship on this podcast so [laugh]

Moshe: I can get you in touch with them.

Julia: [crosstalk 00:29:34] a new sponsorship for now. Thank you so much. I appreciate you.