Fwd: [ISN] Sneaky state employees may have inadvertantly exposed info to hackers

["The Security Community" <thesecuritycommunity () gmail com>]

A rather interesting story.  And fun! Proxies are one of my favorite
subjects.  If you go to veryfastproxy.com, the proxy the State workers
were using, you will notice it has an extremetracking.com web-bug in
the lower left hand corner (that little purple Jupiter logo).

If you follow the bug (http://extremetracking.com/open?login=fastprox)
and if you're quick enough, you just may notice the site is still
getting hit by *.state.fl.us addresses.  YMMV as the site gets more
traffic.

I'm not sure if Florida has fixed it's problem or made it worse.


---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>
Date: Tue, Mar 25, 2008 at 4:13 AM
Subject: [ISN] Sneaky state employees may have inadvertantly exposed
info to hackers
To: isn () infosecnews org


http://www.news-press.com/apps/pbcs.dll/article?AID=/20080324/NEWS01/80324038/1075

 By Bill Cotterell
 Florida Capital Bureau
 Political Editor
 The News-Press
 March 24, 2008

 TALLAHASSEE -- State employees who tried to hide their computer tracks
 by using a "proxy site" might have exposed their personal information to
 hackers in Germany.

 The Department of Financial Services found out late last week that, at
 least five times, employees contacting the state payroll system had gone
 through the proxies that throw up a dead end when supervisors try to
 find out where a computer user has been. The department said there have
 been no security breaches and no known cases of identity theft, but the
 department has ordered a statewide re-set of passwords when employees
 access the payroll system.

 It doesn't involve e-mail or other computer systems, just the payroll
 site where employees can view their W-4 forms and other payment data.

 Kevin Cate, deputy communications director for DFS, said a "proxy site"
 is like a mirror held up to a computer. He said an employee wanting to
 contact a site like YouTube or MySpace on a state computer might go to a
 proxy site and then enter several other sites.

 If the boss checks later, all that would show would be the employee's
 entry to the proxy site.

 It's possible that, after using the proxy site for some Web surfing,
 employees might have thought they'd logged out -- but they were still
 linked to the proxy. Then, when they went on the state's payroll site
 and entered their user names and passwords, the information might have
 been exposed to anyone on the other end of the computer link.

 Cate said DFS has broken all known proxy links. He said the state's
 payroll site, MyFloridaCFO.com, is completely secure and if employees
 use it, they have nothing to fear. But if they use proxy sites, they
 have now way of knowing if their inputs are secure, he said.


 ___________________________________________________
 Subscribe to InfoSec News
 http://www.infosecnews.org/mailman/listinfo/isn
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.