Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]

The NSA needs your updates

(Please note this is a translated post from the Spanish version… and that 28th December is in Spain equivalent to April Fools’ Day, so this news was just a joke)

Although this finding has little more than 12 hours (it appeared yesterday in some Chinese media), it has not taken too long to spread through the US specialized media. Among others, ArsTechnica, Bruce Schenier, Wired or Dan Kaminsky have brief reviews commenting the recent findings made by Lian Li and Huan Chen, Chinese researchers from Peking University.

Apparently, all began at the end of 2013, while Li and Chen were performing forensic analysis on three compromised computers. Analyzing different Adobe update packages stored in the computers (suspected to be a vector for infection), they detected that all of them had a similar structure: the update package and an encrypted data block C1 that could vary from 65536 bytes to several MBs.

[Read more…]

NSA, digital walls and a few good men.

It has long been known that the NSA and some similar organizations have suirvellance systems deployed to ensure the safety and protection of us all from evil. However, the NSA always preferred to keep secret to avoid being forced to reject the Nobel Peace Prize. However, after the case of Snowden, Manning, Assange and other rebels, it is clear that the situation has become has become unsustainable.... Leer Más

Forget privacy

(Opinion article published by Manuel Benet in Valencia’s local newspaper on 2nd July 2013)... Leer Más

The 10 usual errors of an SME in Information Security

There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of ​​the imbalance of forces.... Leer Más

This is not about computers anymore. It’s politics.

A few days ago, following the well-known Mandiant Report “APT1”, we published a small post where we made some assessments about the alleged Chinese attacks on various public and private organizations. We made public a set of Snort rules that could be used to detect —provided that the information from the report Mandiant is true— if an organization had been infected. Obviously, if you receive an alert that should raise some suspicions, but the opposite should not make you assume you are not infected. The resources used for infection are certainly very dynamic and after the report many of them may have been replaced or eliminated.... Leer Más

Are you being spied by the chinese government?

(Update 20/feb/2013: New signatures added)... Leer Más

Introduction to PCI DSS: Payment Card Industry Data Security Standard

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

[Read more…]

II Security Conference “Navaja Negra”

Next November 30th and December 1st, the second Conference on Information Security “Navaja Negra” will take place in Albacete, with a series of speeches focusing on Information Security such as:... Leer Más

External figures of Spanish Data Protection Act (LOPD)

(Editor note: This post is relative to the Spanish Data Protection Act or LOPD. Although LOPD is based on the 95/46/CE directive it may not be fully applicable to other countries inside the EU, so several sentences have been modified or eliminated.)... Leer Más