Herrera says it is, but an IT employee who’s on leave and under investigation says people’s usernames and passwords are at risk
Secretary of State Mary Herrera claimed in a guest column published today in the Albuquerque Journal that her agency’s computer systems “are now secure,” no data was lost and development of a new campaign finance reporting system is “back on track.”
But Brad Allen, an information technologies employee who has been on leave ever since the secretary of state’s Web site and computer systems went offline two weeks ago, said one key vulnerability remains: There is no encryption on the log-in page for Uniform Commercial Code filings.
That means when people log into the system to file required business reports, their usernames and passwords could be visible to hackers, Allen said.
“Password data should always be encrypted, no matter what,” he said. “Everybody does it. It’s not that hard to do.”
http vs. https
Prior to the recent problems, the log-in page used the more secure Hypertext Transfer Protocol Secure (https at the start of the Web address), which utilizes something called SSL encryption, Allen said. Now it’s using the less secure hypertext transfer protocol (http at the start of the Web address).
While there are other ways to secure information stored in the secretary of state’s databases — methods that wouldn’t be obvious to someone viewing the site — Allen said the use of SSL encryption is the only way to ensure the security of information sent from a person’s Web browser to the secretary of state’s server.
In an e-mail, Herrera wrote that it would be “unwise and not prudent” to have an unsecure site and said “the information you are been given regarding SSL encryption with respect to the secretary of state’s Web applications is untrue.” She did not elaborate.
This is all Herrera said in today’s guest column about the Web site’s security:
“My No. 1 priority is to ensure that our network is properly secured in order to protect the integrity of all information submitted to our office. I am pleased to confirm that all of our systems are now secure, no data has been lost, and our goal to implement a new campaign finance reporting system is now back on track.”
Allen said he is publicly talking about the lack of security on the site because he is concerned about the potential harm hackers could do, not because he wants to point a finger at Herrera or others in her office.
Allen is under investigation
Allen was placed on administrative leave around the same time unspecified problems knocked out all systems in the office, including the new campaign finance reporting system he had been developing.
Officials completed work Thursday on efforts to restore the Web site and other systems but have still not fully explained what caused the problems.
Without naming Allen, Herrera wrote in today’s guest column that an employee in her office is under investigation because of “actions which occurred and information learned” during a recent security review that coincided with the problems with computer systems. She wrote that those problems “revealed that our network was vulnerable to potential interference.”
“This investigation involves potential criminal violations and is a personnel matter,” Herrera wrote. “In order to preserve the integrity of the investigation and also protect the rights of this employee, I will not at this time discuss the details of this investigation and will allow the proper authorities to proceed according to their protocol.”
While Herrera did not name the employee, her statement builds on what Deputy Secretary of State Don Francisco Trujillo II told the New Mexico Independent earlier this week. He said the agency had started an inquiry into Allen based on information gleaned by the security test.
Trujillo did not mention Allen by name but acknowledged that the inquiry involves the only agency employee who is on paid leave, which is Allen. When asked if the investigation involved law enforcement, Trujillo said, “We have begun an investigation which involves other agencies. I won’t discuss it any further.”
Prior to that, the agency had said Allen was not under suspicion despite being on leave.
Herrera refused to comment on Allen’s employment or answer questions about the criminal investigation today because it’s a personnel issue. Allen also declined to comment on the status of his employment and the investigation.