By Bill Cotterell
Florida Capital Bureau
March 24, 2008
TALLAHASSEE -- State employees who tried to hide their computer tracks
by using a "proxy site" might have exposed their personal information to
hackers in Germany.
The Department of Financial Services found out late last week that, at
least five times, employees contacting the state payroll system had gone
through the proxies that throw up a dead end when supervisors try to
find out where a computer user has been. The department said there have
been no security breaches and no known cases of identity theft, but the
department has ordered a statewide re-set of passwords when employees
access the payroll system.
It doesn't involve e-mail or other computer systems, just the payroll
site where employees can view their W-4 forms and other payment data.
Kevin Cate, deputy communications director for DFS, said a "proxy site"
is like a mirror held up to a computer. He said an employee wanting to
contact a site like YouTube or MySpace on a state computer might go to a
proxy site and then enter several other sites.
If the boss checks later, all that would show would be the employee's
entry to the proxy site.
It's possible that, after using the proxy site for some Web surfing,
employees might have thought they'd logged out -- but they were still
linked to the proxy. Then, when they went on the state's payroll site
and entered their user names and passwords, the information might have
been exposed to anyone on the other end of the computer link.
Cate said DFS has broken all known proxy links. He said the state's
payroll site, MyFloridaCFO.com, is completely secure and if employees
use it, they have nothing to fear. But if they use proxy sites, they
have now way of knowing if their inputs are secure, he said.
Subscribe to InfoSec News