A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration

1. Nikiforakis, N., L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel et al. You Are What You Include: Large-Scale Evaluation of Remote Javascript Inclusions. – In: Proc. of 2012 ACM Conference on Computer and Communications Security (CCS’12), New York, NY, USA, ACM Press, 2012, p. 736.10.1145/2382196.2382274Search in Google Scholar

2. Uesugi, S. You Could’ve Submitted a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. – In: Medium [Internet]. Medium, 18 August 2016 [Cited 21 August 2018]. https://medium.com/@chibicode/you-can-submit-a-pull-request-to-inject-arbitrary-js-code-into-donald-trumps-site-here-s-how-782aa6a17a56Search in Google Scholar

3. Hunt, T. The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries. – In: Troy Hunt Blog [Internet]. Troy Hunt, 12 February 2018 [Cited 21 August 2018]. https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/Search in Google Scholar

4. Zhou, N. Cryptojacking Attack Hits Australian Government Websites. – The Guardian, 12 February 2018. Accessed 21 August 2018. http://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websitesSearch in Google Scholar

5. Lomas, N. Cryptojacking Attack Hits ~4,000 Websites, Including UK’s Data Watchdog. TechCrunch. TechCrunch; 12 February 2018. Accessed 21 August 2018. http://social.techcrunch.com/2018/02/12/ico-snafu/Search in Google Scholar

6. Russian Government Website Was Affected by a Malicious Cryptocurrency Mining Script. – In: Altcoin Today [Internet]. 12 Jun 2018 [Cited 24 August 2018]. https://altcointoday.com/russian-government-website-was-affected-by-a-malicious-cryptocurrency-mining-script/Search in Google Scholar

7. US Government Site Was Hosting Ransomware. – In: Threatpost [Internet]. 1 September 2017 [Cited 24 August 2018]. https://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-downloader/127767/Search in Google Scholar

8. Baker, P. “Malicious Attack” on Government Site Hijacked Computers to Mine XMR – The Market Mogul. – In: The Market Mogul [Internet]. 16 March 2018 [Cited 24 August 2018]. https://themarketmogul.com/crypto-jack-malicious-attack/Search in Google Scholar

9. L K k: T. Regulating Cross-Border Dependencies of Critical Information Infrastructure [Internet]. 2015. https://ccdcoe.org/sites/default/files/multimedia/pdf/CII_dependencies_2015.pdfSearch in Google Scholar

10. Harašta, J. Legally Critical: Defining Critical Infrastructure in an Interconnected World. – Int. J. Crit. Infrastruct Prot., Vol. 21, 2018, pp. 47-56.10.1016/j.ijcip.2018.05.007Search in Google Scholar

11. Windelberg, M. Objectives for Managing Cyber Supply Chain Risk. – Int. J. Crit Infrastruct Prot. Vol. 12, 2016, pp. 4-11.10.1016/j.ijcip.2015.11.003Search in Google Scholar

12. Kumar, R. P., P. H. Raj, P. Jelciana. Exploring Security Issues and Solutions in Cloud Computing Services – A Survey. – Cybernetics and Information Technologies, Vol. 17, 2017, No 4, pp. 3-31. http://www.cit.iit.bas.bg/CIT_2017/v-17-4/01_paper.pdf10.1515/cait-2017-0039Search in Google Scholar

13. Maggi, F., M. Balduzzi, R. Flores, L. Gu, V. Ciancaglini. Investigating Web Defacement Campaigns at Large. – In: Proc. of 2018 on Asia Conference on Computer and Communications Security. New York, NY, USA, ACM, 2018, pp. 443-456.10.1145/3196494.3196542Search in Google Scholar

14. Borgolte, K., C. Kruegel, G. Vigna. Meerkat: Detecting Website Defacements through Image-Based Object Recognition. – USENIX Security Symposium. usenix.org, 2015, pp. 595-610.Search in Google Scholar

15. Bartoli, A., G. Davanzo, E. Medvet. A Framework for Large-Scale Detection of Web Site Defacements. – ACM Trans. Internet Technol. New York, NY, USA, ACM, 2010, 10: 10:1–10:37.10.1145/1852096.1852098Search in Google Scholar

16. Bartoli, A., G. Davanzo, E. Medvet. The Reaction Time to Web Site Defacements. – IEEE Internet Comput. ieeexplore.ieee.org, 2009, 13, pp. 52-58.10.1109/MIC.2009.91Search in Google Scholar

17. Davanzo, G., E. Medvet, A. Bartoli. Anomaly Detection Techniques for a Web Defacement Monitoring Service. – Expert Syst. Appl. Elsevier, 2011, 38, pp. 12521-12530.10.1016/j.eswa.2011.04.038Search in Google Scholar

18. Content Security Policy Level 3 [Internet]. [Cited 4 September 2018]. https://www.w3.org/TR/CSP/Search in Google Scholar

19. Weissbacher, M., T. Lauinger, W. Robertson. Why Is CSP Failing? Trends and Challenges in CSP Adoption. Research in Attacks, Intrusions and Defenses. – Springer International Publishing, 2014, pp. 212-233.10.1007/978-3-319-11379-1_11Search in Google Scholar

20. Pan, X., Y. Cao, S. Liu, Y. Zhou, Y. Chen, T. Zhou. CSPAutoGen: Black-Box Enforcement of Content Security Policy Upon Real-World Websites. – In: Proc. of 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, ACM, 2016, pp. 653-665.10.1145/2976749.2978384Search in Google Scholar

21. Weichselbaum, L., M. Spagnuolo, S. Lekies, A. Janc. CSP is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. – In: Proc. of 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2016, pp. 1376-1387.10.1145/2976749.2978363Search in Google Scholar

22. Vai sul sito ANVUR? Uno script maligno registra il tuo profilo e lo manda a Singapore. – In: ROARS [Internet]. 18 April 2017 [Cited 22 Aug 2018]. https://www.roars.it/online/vai-sul-sito-anvur-uno-script-maligno-registra-il-tuo-profilo-e-lo-manda-a-singapore/Search in Google Scholar

23. Borgolte, K., C. Kruegel, G. Vigna. Delta: Automatic Identification of Unknown Web-Based Infection Campaigns. – In: Proc. of 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13), New York, New York, USA, ACM Press, 2013, pp. 109-120.10.1145/2508859.2516725Search in Google Scholar

24. Lauinger, T., A. Chaabane, S. Arshad, W. Robertson, C. Wilson, E. Kirda. Thou Shalt Not Depend on Me: Analysing the Use of Outdated Javascript Libraries on the Web. – In: Proc. of 24th Annual Network and Distributed System Security Symposium (NDSS’17) The Internet Society. pdfs.semanticscholar.org, 2017. https://pdfs.semanticscholar.org/50b5/56396ebc887461015b48ce89c572424bcedf.pdfSearch in Google Scholar

25. Soni, P., E. Budianto, P. Saxena. The SICILIAN Defense: Signature-Based Whitelisting of Web JavaScript. – In: Proc. of 2nd ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, ACM, 2015. pp. 1542-1557.10.1145/2810103.2813710Search in Google Scholar

26. Cova, M., C. Kruegel, G. Vigna. Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code. – In: Proc. of 19th International Conference on World Wide Web, New York, NY, USA, ACM, 2010, pp. 281-290.10.1145/1772690.1772720Search in Google Scholar

27. Li, Z., K. Zhang, Y. Xie, F. Yu, X. Wang. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. – In: Proc. of 2012 ACM Conference on Computer and Communications Security (CCS’12), New York, NY, USA, ACM Press, 2012, p. 674.10.1145/2382196.2382267Search in Google Scholar

28. Vaas, L. Massive Malvertising Attack Poisons 288 Sites. – In: Naked Security [Internet]. 12 April 2016 [Cited 4 Sep 2018]. https://nakedsecurity.sophos.com/2016/04/12/massive-malvertising-attack-poisons-288-sites/Search in Google Scholar

29. Goodin, D. Home Routers under Attack in Ongoing Malvertisement Blitz. – In: Ars Technica [Internet]. 16 December 2016 [Cited 4 September 2018]. https://arstechnica.com/information-technology/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/Search in Google Scholar

30. Microsoft Patches Zero Day Flaw Used in Two Massive Malvertising Campaigns. – In: Dark Reading [Internet] [Cited 4 September 2018]. https://www.darkreading.com/attacks-breaches/microsoft-patches-zero-day-flaw-used-in-two-massive-malvertising-campaigns/d/d-id/1326908Search in Google Scholar

31. ThreatLabz, M. Piercy, A. Singh. China’s NCGA Government Site Infected with Hidden Malicious Iframe | Zscaler Blog. – In: Zscaler [Internet] [Cited 24 August 2018]. https://www.zscaler.com/blogs/research/chinas-ncga-government-site-infected-hidden-malicious-iframeSearch in Google Scholar

32. Mavrommatis NPP, Monrose MARF. All Your Iframes Point to Us. – In: USENIX Security Symposium USENIX. usenix.org, 2008, pp. 1-16.Search in Google Scholar

33. Arshad, S., S. A. Mirheidari, T. Lauinger, B. Crispo, E. Kirda, W. Robertson. Large-Scale Analysis of Style Injection by Relative Path Overwrite. – In: Proc. of 2018 World Wide Web Conference. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee, 2018, pp. 237-246.10.1145/3178876.3186090Search in Google Scholar

34. Heiderich, M., M. Niemietz, F. Schuster, T. Holz, J. Schwenk. Scriptless Attacks: Stealing the Pie Without Touching the Sill. – In: Proc. of 2012 ACM Conference on Computer and Communications Security, New York, NY, USA, ACM, 2012, pp. 760-771.10.1145/2382196.2382276Search in Google Scholar

35. Hashim, A. Microsoft Edge Vulnerability Could Allow for Email and Facebook Data Scraping. – In: Latest Hacking News [Internet]. 22 Jun 2018 [Cited 23 August 2018]. https://latesthackingnews.com/2018/06/22/microsoft-edge-vulnerability-could-allow-for-email-and-facebook-data-scraping/Search in Google Scholar

36. Cimpanu, C. Chrome Bug Lets Attackers Steal Web Secrets via Audio or Video HTML Tags. – In: BleepingComputer [Internet]. BleepingComputer.com; 15 August 2018 [Cited 23 August 2018]. https://www.bleepingcomputer.com/news/security/chrome-bug-lets-attackers-steal-web-secrets-via-audio-or-video-html-tags/Search in Google Scholar

37. Van Goethem, T., P. Chen, N. Nikiforakis, L. Desmet, W. Joosen. Large-Scale Security Analysis of the Web: Challenges and Findings. Trust and Trustworthy Computing. – Springer International Publishing, 2014, pp. 110-126.10.1007/978-3-319-08593-7_8Search in Google Scholar

38. De Nicola, A., M. L. Villani, M. C. Brugnoli, G. D’Agostino. A Methodology for Modeling and Measuring Interdependencies of Information and Communications Systems Used for Public Administration and e-Government Services. – Int. J. Crit. Infrastruct. Prot., Vol. 14, 2016, pp. 18-27.10.1016/j.ijcip.2016.06.001Search in Google Scholar

39. Kirilov, R. Effectiveness of Information Security in the Banks. – Cybernetics and Information Technologies, Vol. 6, 2006, No 2, pp. 70-85. http://www.cit.iit.bas.bg/CIT_06/v6-2/70-85.pdfSearch in Google Scholar

40. Medvet, E., A. Bartoli, G. Davanzo, A. D. Lorenzo. Automatic Face Annotation in News Images by Mining the Web. – In: 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, 2011, pp. 47-54.10.1109/WI-IAT.2011.101Search in Google Scholar

41. Medvet, E., A. Bartoli, G. Piccinin. Publication Venue Recommendation Based on Paper Abstract. – In: 2014 IEEE 26th International Conference on Tools with Artificial Intelligence, 2014, pp. 1004-1010.10.1109/ICTAI.2014.152Search in Google Scholar

42. Meguebli, Y., M. Kacimi, B.-L. Doan, F. Popineau. Unsupervised Approach for Identifying Users’ Political Orientations. Advances in Information Retrieval. – Springer International Publishing, 2014, pp. 507-512.10.1007/978-3-319-06028-6_49Search in Google Scholar

43. Tremblay, M. C., C. Parra, A. Castellanos. Analyzing Corporate Social Responsibility Reports Using Unsupervised and Supervised Text Data Mining. New Horizons in Design Science: Broadening the Research Agenda. – Springer International Publishing, 2015, pp. 439-446.10.1007/978-3-319-18714-3_36Search in Google Scholar