4OYS: NM websites score failing grades for security

Created: 07/22/2014 9:49 PM
By: Ryan Luby, KOB Eyewitness News 4

You pay bills online, right?  Perhaps you schedule appointments, but how secure are those sites? KOB's investigative team identified several high-profile websites in New Mexico, which New Mexicans use every day that failed a battery of tests.

The team tested hospitals, banks, utility companies, and state websites using a free online scanning program that's reputable in the information technology industry.

Specifically, KOB investigated HTTPS sites that collect sensitive information.  The sites are typically identified by the lock icon that appears in the corner of a web browser to let users know their information is protected from hackers.

On an A to F scale, the Qualys SSL Lab test analyzes hundreds of security features built into websites -- old features and new features.  It identifies problems that could expose the sites to exceedingly tech-savvy hackers.

"If you get an A, then you're doing things well. If you get an F, then clearly there's something that you need to fix," Ivan Ristic, the developer of the SSL Lab test said in an interview with KOB.

His test is simple: copy and paste a web address into the program and let it do the work.

Websites that scored an F included: PNM, New Mexico Gas Company, U.S. New Mexico Credit Union's home page, Presbyterian Hospital's patient registration site, New Mexico MVD, New Mexico's e-filing services site, and the City of Albuquerque's parking ticket portal.

In some cases, the sites supported an outdated layer of encryption called SSL 2.0.  Ristic said it's vulnerable to hackers, and especially for anyone who still uses an older version of Internet Explorer on Windows XP.

In other cases, the sites could have allowed hackers to intercept sensitive portions of a consumer's web traffic through a lapse in SSL renegotiation.

SSL stands for Secure Sockets Layer.  Newer security protocols are now referred to as TLS -- Transport Layer Security.  Both are designed to scramble and encrypt sensitive data.

Often, Ristic said IT personnel can typically resolve the issues with ease.

Indeed, last week, after KOB contacted the various companies that scored poorly, each site's grade markedly improved.

"I started this tool because I tried to use encryption on the Internet, and discovered it's terribly, terribly complicated -- there were no tools to tell me if something was actually secure," Ristic said.

He said he developed the tool roughly five years ago as a hobby.  He said Qualys, which specializes in cloud security for medium and large companies, now pays him to continue his work.

Ristic's test has been instrumental for companies to determine if their websites were vulnerable to the Heartbleed security threat, which made national headlines in April.  Heartbleed resulted from a small coding error that could have exposed millions of usernames from global companies like Google, Yahoo, and YouTube.

None of the companies KOB tested were vulnerable to Heartbleed leaks.


PNM now scores an A- on the SSL Labs test.  A company spokesperson said the vulnerabilities were fixed as part of a planned, comprehensive upgrade.

The company also sent a statement:

"Protecting customer information is a top priority for PNM.  Sensitive customer data, such as payment information, is not stored on our site and is processed by a third-party vendor that scored very high on the security evaluation.

The company has been working on a comprehensive system upgrade that includes strengthening website security.  The project was in its final stages when we were informed about the KOB TV story regarding the Qualys analysis.  We decided to move up implementing this specific upgrade to reduce the risk of someone attempting to exploit reported potential security vulnerabilities.

Protecting digital systems from security threats is a continuous and complex process that we take very seriously."

New Mexico Gas

The company now scores a B.  A spokesperson said the company's IT department was already aware of the concerns because they had conducted a third-party vulnerability assessment of the company's systems.

The spokesperson said the company has additional remediation efforts underway.

U.S. New Mexico Federal Credit Union (USNMFCU)

The bank's home page now scores an A-.

The company was quick to point out that its home page, which KOB tested, is nothing more than a "public information website."  Marsha Majors, President and CEO, said the site is "different and distinct" from its online banking website.

KOB tested the home page since it welcomes users to input their usernames at the top of the page.

The banking site has routinely scored an A in the last month.

"Our test score is among the highest in the financial industry and we are satisfied that our public website is protected," Majors said.

Presbyterian Healthcare

The company's patient registration page now scores a B.

In a statement, the company said it is committed to the privacy and security of its patients and members.

"We adhere to federal and industry standards to protect customer information.  We also receive regular audits from state and federal entities and contract with third party providers to test our systems; we constantly monitor our own security.

We continually work to eliminate all potential security vulnerabilities and take these issues very seriously.  We we learned of the recent gap in our Internet security -- SSL renegotiation -- we addressed it immediately and can report that this issue is now resolved."

New Mexico government websites

Both the New Mexico MVD and the NM E-filing Services sites now score a B and C, respectively.

Estevan Lujan, in New Mexico's Department of Information Technology, said there is some old infrastructure that is being phased out on both sites.

City of Albuquerque parking tickets

The city's parking ticket site now scores a B.

"We were aware that we had older protocols that were supported," Brian Osterloh, the associate chief information officer said.

He explained that portions of the city's website system operates on servers that are 10-years-old -- servers that don't support newer security protocols.

"We're moving as rapidly as we can, and I think as rapidly as is prudent," Osterloh said.  "We would love to be A-five pluses, but nobody is ever A-five pluses."

KOB welcomes a lively and courteous discussion as long as you follow the rules of conduct set forth in our Terms of Use. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Use.