Tuesday, March 25, 2008

State of Florida Stops Proxy Abuse - ALMOST!

Florida state employees may have screwed themselves over, according to this story, quoted below.

"Some state employees who used a "proxy server" in Germany to tap into their online payroll data may have exposed their personal information to identity theft, prompting a statewide reset of passwords."

A statewide reset of passwords. Hoo-boy. However, all is not lost, as noted in the last paragraph of the article...

"DFS has broken all links with known proxy services. Cate said each user is responsible for using firewalls and anti-virus software, monitoring system updates and not sharing log-ins or passwords with others."

All links with known proxy servers. Hmmm... think so? Let's take a closer look. Below is a screen capture of the proxy the Florida state workers used.

Sharp-eyed readers will noitce the little purple logo in the lower left corner of the page.

If you know what this little guy is, you are a rare person. This is a little Web bug brought to you by eXTReMe Tracking, a company that could care less about your privacy. This graphic sits on a Web page and passively collects information about visitors. Clicking on it will take you to a page showing who has accessed your site, in the form of their IP address, the referrer that brought them there, and a whole lot of other handy information.

To be clear there is no PII (Personally Identifiable Information). Well, almost. It depends on how you get to the site, but I won't go into that.

If you pay for this service, it's private. If you use the free version, anybody can view the information of who is hitting your site.

Right after I read the news story - no more than a minute - I went to the proxy site, found the eXTReMe bug and clicked on it. State of Florida workers were still hitting it.

Here's the screen capture (click for a larger view):

I've edited out all the non-State of Florida host names.

Florida's IT department may want to stop patting themselves on the back take a closer look at this issue.

No comments:

Post a Comment