Attacks to web sites resulting in the creation of fraudulent content by hackers are ubiquitous. In this work we attempted to assess the ability of Italian public administrations to be in full control of the respective web sites.
We examined several thousands sites, including all local governments and universities, and found that
approximately 1.5% of the analyzed sites serves contents that admittedly is not supposed to be there. This is quite a lot (see the slides or read the paper to understand why)
An analogy with the physical world may illustrate the issue more clearly: when entering into the building of a public administration, one would not expect to find offices that are not supposed to exist and are visible only to certain citizens, perhaps depending on where they come from. Unfortunately, this is exactly what it could happen in web sites of public administrations.
It is important to point out that HTTPS—the main and ubiquitous line of defense in sensitive web sites—does not provide any defense in this respect.
From our recent publication at the 8-th International Conference on Information Assurance and Security.