Have a personal or library account? Click to login
A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration Cover

A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration

Cybernetics and Information Technologies
Volume 18 (2018): Issue 4 (November 2018)
By: A. Bartoli,  A. De Lorenzo,  E. Medvet,  M. Faraguna and  F. Tarlao  
Open Access
|Dec 2018

References

  1. 1. Nikiforakis, N., L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel et al. You Are What You Include: Large-Scale Evaluation of Remote Javascript Inclusions. – In: Proc. of 2012 ACM Conference on Computer and Communications Security (CCS’12), New York, NY, USA, ACM Press, 2012, p. 736.10.1145/2382196.2382274
    Search in Google ScholarBack to article
  2. 2. Uesugi, S. You Could’ve Submitted a Pull Request to Inject Arbitrary JS Code into Donald Trump’s Site. – In: Medium [Internet]. Medium, 18 August 2016 [Cited 21 August 2018]. https://medium.com/@chibicode/you-can-submit-a-pull-request-to-inject-arbitrary-js-code-into-donald-trumps-site-here-s-how-782aa6a17a56
    Search in Google ScholarBack to article
  3. 3. Hunt, T. The JavaScript Supply Chain Paradox: SRI, CSP and Trust in Third Party Libraries. – In: Troy Hunt Blog [Internet]. Troy Hunt, 12 February 2018 [Cited 21 August 2018]. https://www.troyhunt.com/the-javascript-supply-chain-paradox-sri-csp-and-trust-in-third-party-libraries/
    Search in Google ScholarBack to article
  4. 4. Zhou, N. Cryptojacking Attack Hits Australian Government Websites. – The Guardian, 12 February 2018. Accessed 21 August 2018. http://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites
    Search in Google ScholarBack to article
  5. 5. Lomas, N. Cryptojacking Attack Hits ~4,000 Websites, Including UK’s Data Watchdog. TechCrunch. TechCrunch; 12 February 2018. Accessed 21 August 2018. http://social.techcrunch.com/2018/02/12/ico-snafu/
    Search in Google ScholarBack to article
  6. 6. Russian Government Website Was Affected by a Malicious Cryptocurrency Mining Script. – In: Altcoin Today [Internet]. 12 Jun 2018 [Cited 24 August 2018]. https://altcointoday.com/russian-government-website-was-affected-by-a-malicious-cryptocurrency-mining-script/
    Search in Google ScholarBack to article
  7. 7. US Government Site Was Hosting Ransomware. – In: Threatpost [Internet]. 1 September 2017 [Cited 24 August 2018]. https://threatpost.com/us-government-site-removes-link-to-cerber-ransomware-downloader/127767/
    Search in Google ScholarBack to article
  8. 8. Baker, P. “Malicious Attack” on Government Site Hijacked Computers to Mine XMR – The Market Mogul. – In: The Market Mogul [Internet]. 16 March 2018 [Cited 24 August 2018]. https://themarketmogul.com/crypto-jack-malicious-attack/
    Search in Google ScholarBack to article
  9. 9. L K k: T. Regulating Cross-Border Dependencies of Critical Information Infrastructure [Internet]. 2015. https://ccdcoe.org/sites/default/files/multimedia/pdf/CII_dependencies_2015.pdf
    Search in Google ScholarBack to article
  10. 10. Harašta, J. Legally Critical: Defining Critical Infrastructure in an Interconnected World. – Int. J. Crit. Infrastruct Prot., Vol. 21, 2018, pp. 47-56.10.1016/j.ijcip.2018.05.007
    Search in Google ScholarBack to article
  11. 11. Windelberg, M. Objectives for Managing Cyber Supply Chain Risk. – Int. J. Crit Infrastruct Prot. Vol. 12, 2016, pp. 4-11.10.1016/j.ijcip.2015.11.003
    Search in Google ScholarBack to article
  12. 12. Kumar, R. P., P. H. Raj, P. Jelciana. Exploring Security Issues and Solutions in Cloud Computing Services – A Survey. – Cybernetics and Information Technologies, Vol. 17, 2017, No 4, pp. 3-31. http://www.cit.iit.bas.bg/CIT_2017/v-17-4/01_paper.pdf10.1515/cait-2017-0039
    Search in Google ScholarBack to article
  13. 13. Maggi, F., M. Balduzzi, R. Flores, L. Gu, V. Ciancaglini. Investigating Web Defacement Campaigns at Large. – In: Proc. of 2018 on Asia Conference on Computer and Communications Security. New York, NY, USA, ACM, 2018, pp. 443-456.10.1145/3196494.3196542
    Search in Google ScholarBack to article
  14. 14. Borgolte, K., C. Kruegel, G. Vigna. Meerkat: Detecting Website Defacements through Image-Based Object Recognition. – USENIX Security Symposium. usenix.org, 2015, pp. 595-610.
    Search in Google ScholarBack to article
  15. 15. Bartoli, A., G. Davanzo, E. Medvet. A Framework for Large-Scale Detection of Web Site Defacements. – ACM Trans. Internet Technol. New York, NY, USA, ACM, 2010, 10: 10:1–10:37.10.1145/1852096.1852098
    Search in Google ScholarBack to article
  16. 16. Bartoli, A., G. Davanzo, E. Medvet. The Reaction Time to Web Site Defacements. – IEEE Internet Comput. ieeexplore.ieee.org, 2009, 13, pp. 52-58.10.1109/MIC.2009.91
    Search in Google ScholarBack to article
  17. 17. Davanzo, G., E. Medvet, A. Bartoli. Anomaly Detection Techniques for a Web Defacement Monitoring Service. – Expert Syst. Appl. Elsevier, 2011, 38, pp. 12521-12530.10.1016/j.eswa.2011.04.038
    Search in Google ScholarBack to article
  18. 18. Content Security Policy Level 3 [Internet]. [Cited 4 September 2018]. https://www.w3.org/TR/CSP/
    Search in Google ScholarBack to article
  19. 19. Weissbacher, M., T. Lauinger, W. Robertson. Why Is CSP Failing? Trends and Challenges in CSP Adoption. Research in Attacks, Intrusions and Defenses. – Springer International Publishing, 2014, pp. 212-233.10.1007/978-3-319-11379-1_11
    Search in Google ScholarBack to article
  20. 20. Pan, X., Y. Cao, S. Liu, Y. Zhou, Y. Chen, T. Zhou. CSPAutoGen: Black-Box Enforcement of Content Security Policy Upon Real-World Websites. – In: Proc. of 2016 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, ACM, 2016, pp. 653-665.10.1145/2976749.2978384
    Search in Google ScholarBack to article
  21. 21. Weichselbaum, L., M. Spagnuolo, S. Lekies, A. Janc. CSP is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. – In: Proc. of 2016 ACM SIGSAC Conference on Computer and Communications Security, ACM, 2016, pp. 1376-1387.10.1145/2976749.2978363
    Search in Google ScholarBack to article
  22. 22. Vai sul sito ANVUR? Uno script maligno registra il tuo profilo e lo manda a Singapore. – In: ROARS [Internet]. 18 April 2017 [Cited 22 Aug 2018]. https://www.roars.it/online/vai-sul-sito-anvur-uno-script-maligno-registra-il-tuo-profilo-e-lo-manda-a-singapore/
    Search in Google ScholarBack to article
  23. 23. Borgolte, K., C. Kruegel, G. Vigna. Delta: Automatic Identification of Unknown Web-Based Infection Campaigns. – In: Proc. of 2013 ACM SIGSAC Conference on Computer & Communications Security (CCS’13), New York, New York, USA, ACM Press, 2013, pp. 109-120.10.1145/2508859.2516725
    Search in Google ScholarBack to article
  24. 24. Lauinger, T., A. Chaabane, S. Arshad, W. Robertson, C. Wilson, E. Kirda. Thou Shalt Not Depend on Me: Analysing the Use of Outdated Javascript Libraries on the Web. – In: Proc. of 24th Annual Network and Distributed System Security Symposium (NDSS’17) The Internet Society. pdfs.semanticscholar.org, 2017. https://pdfs.semanticscholar.org/50b5/56396ebc887461015b48ce89c572424bcedf.pdf
    Search in Google ScholarBack to article
  25. 25. Soni, P., E. Budianto, P. Saxena. The SICILIAN Defense: Signature-Based Whitelisting of Web JavaScript. – In: Proc. of 2nd ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, ACM, 2015. pp. 1542-1557.10.1145/2810103.2813710
    Search in Google ScholarBack to article
  26. 26. Cova, M., C. Kruegel, G. Vigna. Detection and Analysis of Drive-by-download Attacks and Malicious JavaScript Code. – In: Proc. of 19th International Conference on World Wide Web, New York, NY, USA, ACM, 2010, pp. 281-290.10.1145/1772690.1772720
    Search in Google ScholarBack to article
  27. 27. Li, Z., K. Zhang, Y. Xie, F. Yu, X. Wang. Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising. – In: Proc. of 2012 ACM Conference on Computer and Communications Security (CCS’12), New York, NY, USA, ACM Press, 2012, p. 674.10.1145/2382196.2382267
    Search in Google ScholarBack to article
  28. 28. Vaas, L. Massive Malvertising Attack Poisons 288 Sites. – In: Naked Security [Internet]. 12 April 2016 [Cited 4 Sep 2018]. https://nakedsecurity.sophos.com/2016/04/12/massive-malvertising-attack-poisons-288-sites/
    Search in Google ScholarBack to article
  29. 29. Goodin, D. Home Routers under Attack in Ongoing Malvertisement Blitz. – In: Ars Technica [Internet]. 16 December 2016 [Cited 4 September 2018]. https://arstechnica.com/information-technology/2016/12/home-routers-under-attack-in-ongoing-malvertisement-blitz/
    Search in Google ScholarBack to article
  30. 30. Microsoft Patches Zero Day Flaw Used in Two Massive Malvertising Campaigns. – In: Dark Reading [Internet] [Cited 4 September 2018]. https://www.darkreading.com/attacks-breaches/microsoft-patches-zero-day-flaw-used-in-two-massive-malvertising-campaigns/d/d-id/1326908
    Search in Google ScholarBack to article
  31. 31. ThreatLabz, M. Piercy, A. Singh. China’s NCGA Government Site Infected with Hidden Malicious Iframe | Zscaler Blog. – In: Zscaler [Internet] [Cited 24 August 2018]. https://www.zscaler.com/blogs/research/chinas-ncga-government-site-infected-hidden-malicious-iframe
    Search in Google ScholarBack to article
  32. 32. Mavrommatis NPP, Monrose MARF. All Your Iframes Point to Us. – In: USENIX Security Symposium USENIX. usenix.org, 2008, pp. 1-16.
    Search in Google ScholarBack to article
  33. 33. Arshad, S., S. A. Mirheidari, T. Lauinger, B. Crispo, E. Kirda, W. Robertson. Large-Scale Analysis of Style Injection by Relative Path Overwrite. – In: Proc. of 2018 World Wide Web Conference. Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee, 2018, pp. 237-246.10.1145/3178876.3186090
    Search in Google ScholarBack to article
  34. 34. Heiderich, M., M. Niemietz, F. Schuster, T. Holz, J. Schwenk. Scriptless Attacks: Stealing the Pie Without Touching the Sill. – In: Proc. of 2012 ACM Conference on Computer and Communications Security, New York, NY, USA, ACM, 2012, pp. 760-771.10.1145/2382196.2382276
    Search in Google ScholarBack to article
  35. 35. Hashim, A. Microsoft Edge Vulnerability Could Allow for Email and Facebook Data Scraping. – In: Latest Hacking News [Internet]. 22 Jun 2018 [Cited 23 August 2018]. https://latesthackingnews.com/2018/06/22/microsoft-edge-vulnerability-could-allow-for-email-and-facebook-data-scraping/
    Search in Google ScholarBack to article
  36. 36. Cimpanu, C. Chrome Bug Lets Attackers Steal Web Secrets via Audio or Video HTML Tags. – In: BleepingComputer [Internet]. BleepingComputer.com; 15 August 2018 [Cited 23 August 2018]. https://www.bleepingcomputer.com/news/security/chrome-bug-lets-attackers-steal-web-secrets-via-audio-or-video-html-tags/
    Search in Google ScholarBack to article
  37. 37. Van Goethem, T., P. Chen, N. Nikiforakis, L. Desmet, W. Joosen. Large-Scale Security Analysis of the Web: Challenges and Findings. Trust and Trustworthy Computing. – Springer International Publishing, 2014, pp. 110-126.10.1007/978-3-319-08593-7_8
    Search in Google ScholarBack to article
  38. 38. De Nicola, A., M. L. Villani, M. C. Brugnoli, G. D’Agostino. A Methodology for Modeling and Measuring Interdependencies of Information and Communications Systems Used for Public Administration and e-Government Services. – Int. J. Crit. Infrastruct. Prot., Vol. 14, 2016, pp. 18-27.10.1016/j.ijcip.2016.06.001
    Search in Google ScholarBack to article
  39. 39. Kirilov, R. Effectiveness of Information Security in the Banks. – Cybernetics and Information Technologies, Vol. 6, 2006, No 2, pp. 70-85. http://www.cit.iit.bas.bg/CIT_06/v6-2/70-85.pdf
    Search in Google ScholarBack to article
  40. 40. Medvet, E., A. Bartoli, G. Davanzo, A. D. Lorenzo. Automatic Face Annotation in News Images by Mining the Web. – In: 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, 2011, pp. 47-54.10.1109/WI-IAT.2011.101
    Search in Google ScholarBack to article
  41. 41. Medvet, E., A. Bartoli, G. Piccinin. Publication Venue Recommendation Based on Paper Abstract. – In: 2014 IEEE 26th International Conference on Tools with Artificial Intelligence, 2014, pp. 1004-1010.10.1109/ICTAI.2014.152
    Search in Google ScholarBack to article
  42. 42. Meguebli, Y., M. Kacimi, B.-L. Doan, F. Popineau. Unsupervised Approach for Identifying Users’ Political Orientations. Advances in Information Retrieval. – Springer International Publishing, 2014, pp. 507-512.10.1007/978-3-319-06028-6_49
    Search in Google ScholarBack to article
  43. 43. Tremblay, M. C., C. Parra, A. Castellanos. Analyzing Corporate Social Responsibility Reports Using Unsupervised and Supervised Text Data Mining. New Horizons in Design Science: Broadening the Research Agenda. – Springer International Publishing, 2015, pp. 439-446.10.1007/978-3-319-18714-3_36
    Search in Google ScholarBack to article
DOI: https://doi.org/10.2478/cait-2018-0050 | Journal eISSN: 1314-4081 | Journal ISSN: 1311-9702
Journal RSS Feed
Language: English
Page range: 94 - 110
Submitted on: Sep 2, 2018
Accepted on: Oct 29, 2018
Published on: Dec 14, 2018
Published by: Bulgarian Academy of Sciences, Institute of Information and Communication Technologies
In partnership with: Paradigm Publishing Services
Publication frequency: 4 issues per year
Keywords:
Web security,
e-Government,
Javascript
Related subjects:
Computer sciences,
Information technology

© 2018 A. Bartoli, A. De Lorenzo, E. Medvet, M. Faraguna, F. Tarlao, published by Bulgarian Academy of Sciences, Institute of Information and Communication Technologies
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License.

Previous articleVolume 18 (2018): Issue 4 (November 2018)Next article