The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast. The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy. If you are not familiar with it, 160,000 Social Security numbers and medical information were stolen in the UC Berkeley data breach. This notion that breaches of the “trusted” internal network are so common that’s possible to discuss with a straight face whether a breach of this magnitude is newsworthy is itself worthy of some discussion.
In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”. The term was coined in the medical professions to refer to preventable events with serious or deadly consequences. The kind of events that should never happen such as operating on the wrong body part or wrong person. the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation. Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry. In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events.
Links for this episode:
University of California Berkeley Data Breach
Security Squad, SearchSecurity.com podcast for May 15, 2009
PrivacyRights.org Chronology of Data Breaches
BankInfoSecurity.com – List of banks reported to have been affected by the Heartland breach tops 600
National Quality Forum – Serious Reportable Events (a.k.a. “Never Events”)
CERT Security podcast series for May 5, 2009
WebSphere MQ Security Heats Up – Blog post with downloadable setmqaut scripts to secure administrative access to WebSphere MQ.