Abstract
Just a few days after everyone celebrated Thanksgiving Day in 2013, someone who fooled the Target defense system installed a malware in its security and payment system. It was the peak time in business for any retailer in the United States. While the customers were busy in getting ready for Christmas, the malware which was sitting in the Target payment system silently captured all the credit card information from the cashier’s terminal and stored them in a server, which was under the control of the attacker. Forty million credit card numbers were stolen in this way from 1797 Target stores around the country. It was a huge breach of trust and credibility from the retailer, and in March 2015 a federal judge in St. Paul, Minnesota, approved a $10 million offer by Target to settle the lawsuit against the data breach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Target Credit Card Hack, http://money.cnn.com/2013/12/22/news/companies/target-credit-card-hack/
- 2.
Target Data Hack Settlement, http://money.cnn.com/2015/03/19/technology/security/target-data-hack-settlement/
- 3.
GitHub Survived the Biggest DDoS Attack Ever Recorded, www.wired.com/story/github-ddos-memcached/
- 4.
Identity Theft Resource Center, www.idtheftcenter.org/
- 5.
- 6.
Gary McGraw, Software Security: Building Security In, Addison-Wesley Publisher
- 7.
What Went Wrong?, https://medium.facilelogin.com/what-went-wrong-d09b0dc24de4
- 8.
How Apple and Amazon Security Flaws Led to My Epic Hacking, www.wired.com/2012/08/apple-amazon-mat-honan-hacking
- 9.
Encapsulation and Optimal Module Size, www.catb.org/esr/writings/taoup/html/ch04s01.html
- 10.
Google Is 2 Billion Lines of Code, www.catb.org/esr/writings/taoup/html/ch04s01.html
- 11.
Nike’s Journey to Microservices, www.youtube.com/watch?v=h30ViSEZzW0
- 12.
RFC 6156: The MD5 Message-Digest Algorithm, https://tools.ietf.org/html/rfc1321
- 13.
Colliding X.509 Certificates, http://eprint.iacr.org/2005/067.pdf
- 14.
“Vacuum Gang” Sucks Up $800,000 From Safeboxes, https://gizmodo.com/vacuum-gang-sucks-up-800-000-from-safeboxes-5647047
- 15.
Teen says he hacked CIA director’s AOL account, http://nypost.com/2015/10/18/stoner-high-school-student-says-he-hacked-the-cia/
- 16.
Gunman kills TSA screener at LAX airport, https://wapo.st/2QBfNoI
- 17.
Defense in Depth, www.nsa.gov/ia/_files/support/defenseindepth.pdf
- 18.
- 19.
The Danger from Within, https://hbr.org/2014/09/the-danger-from-within
- 20.
Surge in mobile network infections in 2013, http://phys.org/news/2014-01-surge-mobile-network-infections.html
- 21.
Protecting Against Insider Attacks, www.sans.org/reading-room/whitepapers/incident/protecting-insider-attacks-33168
- 22.
In 1883, Auguste Kerckhoffs published two journal articles on La Cryptographie Militaire in which he emphasized six design principles for military ciphers. This resulted in the well-known Kerckhoffs’ principle: A cryptosystem should be secured even if everything about the system, except the key, is public knowledge.
- 23.
The Protection of Information in Computer Systems, http://web.mit.edu/Saltzer/www/publications/protection/, October 11, 1974.
- 24.
Snowden Used Low-Cost Tool to Best NSA, www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html
- 25.
Implementing Least Privilege at Your Enterprise, www.sans.org/reading-room/whitepapers/bestprac/implementing-privilege-enterprise-1188
- 26.
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice, https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
- 27.
KISS principle, https://en.wikipedia.org/wiki/KISS_principle
- 28.
Netcraft January 2015 Web Server Survey, http://news.netcraft.com/archives/2015/01/15/january-2015-web-server-survey.html
- 29.
OpenSSL Usage Statistics, http://trends.builtwith.com/Server/OpenSSL
- 30.
Security Concerns in Using Open Source Software for Enterprise Requirements, www.sans.org/reading-room/whitepapers/awareness/security-concerns-open-source-software-enterprise-requirements-1305
- 31.
Middleware Technologies—Enabling Digital Business, www.gartner.com/doc/3163926/hightech-tuesday-webinar-middleware-technologies
- 32.
AWS security white paper, https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
- 33.
Segregating networks and functions, www.nsa.gov/ia/_files/factsheets/I43V_Slick_Sheets/Slicksheet_SegregatingNetworksAndFunctions_Web.pdf
- 34.
Xen Security Advisories, http://xenbits.xen.org/xsa/
- 35.
Google reCAPTCHA, www.google.com/recaptcha/intro/index.html
- 36.
Ensuring Data Integrity in Storage: Techniques and Applications, www.fsl.cs.sunysb.edu/docs/integrity-storagess05/integrity.html
- 37.
A New Approach towards DoS Penetration Testing on Web Services, www.nds.rub.de/media/nds/veroeffentlichungen/2013/07/19/ICWS_DoS.pdf
- 38.
CVE-2013-0269, https://nvd.nist.gov/vuln/detail/CVE-2013-0269
- 39.
The value of a name, https://ello.co/gb/post/knOWk-qeTqfSpJ6f8-arCQ
- 40.
The WordPress Brute Force Attack Timeline, http://blog.sucuri.net/2013/04/the-wordpress-brute-force-attack-timeline.html
- 41.
FIDO Alliance, https://fidoalliance.org/specifications/overview/
- 42.
Strengthening 2-Step Verification with Security Key, https://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html
- 43.
XACML 3.0 specification, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf
- 44.
Non-Repudiation in Practice, www.researchgate.net/publication/240926842_Non-Repudiation_In_Practice
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2020 Prabath Siriwardena
About this chapter
Cite this chapter
Siriwardena, P. (2020). Designing Security for APIs. In: Advanced API Security. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-2050-4_2
Download citation
DOI: https://doi.org/10.1007/978-1-4842-2050-4_2
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-2049-8
Online ISBN: 978-1-4842-2050-4
eBook Packages: Professional and Applied ComputingApress Access BooksProfessional and Applied Computing (R0)