Make Your Company HIPAA Compliant
Train Your Employees for HIPAA Awareness ::Conduct HIPAA Compliance Audit
National Seminar on Privacy and Data Protection in Bangalore on October 17, 2008
Webcam Snooping .. Watch Out when you are in front of your Computer
Sept 24: Computer security specialists are warning about trojans which can activate your webcam and snoop on you and your surroundings.
Open Source for HIPAA Compliance
Sept 24: Security advisors all over the world are advocating use of Open Source software as a security initiative. The reason is that the proprietary software where the source code is not transparent is considered a "security risk". Though a "Source Code Audit" from a reliable agency can to some extent mitigate the risk, the source code also needs to be escrowed if the dependency on the supplier is to be eliminated. In the unfortunate event of the supplier ceasing to exist after a while the software user is left to hold an application which may be unsupported and turn obsolete rendering the data at risk of being un accessible.
On September 15th, the Health e-Information Technology Act 2008 which if enacted, requires a creation of an Open Source health System. Such an open source system appears to be already available under the name VistA a health care information management application available free! (The name appears to have been taken prior to Microsoft launching its own Vista). HIPAA covered entities as well as Business Associates in India may well start testing this new platform and be ready to migrate before a legal compliance deadline. Related Article in linuxjournal
BJP to Interact with IT Professionals
Sept 23: BJP is conducting its Third National IT Convention in Chennai between September 27th and 29th 2008. It is interesting to note that the party has invited several IT professionals including Naavi to discuss various issues on IT policy during the convention. The convention is expected to be attended by party members, legislators and students. The initiative to make legislators aware of the issues in IT including Cyber Crimes etc is a welcome step for any responsible political party. Hope other parties are also equally tech information hungry. Progamme : Post Event: Photograph 1 : Photograph 2 More Photographs
E-Mail Snooping Required for National Security
Sept 22: R K Raghavan the former CBI Director and information security consultant suggests a proper mechanism to police the E-Mail exchanges to gather intelligence on terrorist activities. This is part of the National Cyber Security Infrastructure that Naavi.org has been advocating. Sooner action is taken on the same, better it is. In order to follow the terrorist strategy of exchanging confidential messages through "Draft Folder" there is need for cooperation from ISPs and E-Mail service providers. Similarly there is need for cracking Steganography also to make the policing effective. Not withstanding the difficulties, a beginning has to be made if we need to rid the country of terrorism. Related article in business line
Why Intermediaries should not be Protected under ITA-2000 Amendment Bill
Sept 21: One of the consistent stand Naavi.org has been taken over the last 3 years since the amendment to ITA 2000 has been in discussion is that ITA 2000 should not be diluted to make Intermediaries escape the responsibilities cast on them by the current version of ITA 2000 under "Due Diligence". This is also the point which the framers of the amendment are also consistently supporting. Their attempt is to amend Section 79 to state that "Intermediaries shall not be liable under any law in India unless abetment and conspiracy is proved against the Intermediary". Though the discussion was in relation to whether baazee.com should be made liable in the DPS case or not, we have been pointing out that the proposed amendment would seriously jeopardize the interests of law enforcement particularly in preventing the misuse of Internet by terrorists.
A clear evidence of such a possibility is now highlighted in the analysis presented in this article (at offstumped.nationalinterest.in) where the role of a hosting company called "Dreamhost" has been indicated in the recent bomb blasts in India. According to the analysis presented, Indian Mujahiddeen has a nexus with countercurrents.org and the said hosting company. Under the current ITA 2000, it is possible to make the hosting company and countercurrents.org answerable either under ITA 2000 or IPC. But if the proposed amendments are carried through, the company would remain out of bound.
When the proposed amendments are presented in the next Parliament session, we suppose our Parliamentarians would remember the need to put reigns on the Intermediaries.
Related Article in Naavi.org:
Full Discussion on the Proposed Amendments: http://www.naavi.org/naavi_comments_itaa/index.htm
Are the Mobile Service Providers Ready for the Challenge?
Sept 21: RBI guidelines on mobile banking has opened a new avenue of business for mobile service providers. By upgrading their service offers, a new source of e-commerce revenue can be reaped in by the mobile service providers to offset the falling revenue on the voice call side.
In order to fully exploit the opportunities presented by the Mobile Banking opportunities, the service providers need to also introduce appropriate process and information security for their operations.
Are the Mobile Service Providers Ready for the Challenge?.. More
Mobile Banking Guidelines Released
Sept: 21 RBI has released new Mobile Banking guidelines for Banks. The guidelines restrict the transaction value to RS 2500/- per transaction and RS 5000/- per day. Other information security guidelines have also been imposed. The security requirements are such that Banks would require some time before they can think of launching the services in full compliance of the guidelines. We have to wait and see if Banks go ahead and introduce Cyber Law non compliant systems as they have done in Internet Banking guidelines or wait for full compliance capability before rushing in. Copy of Guidelines
Need for Private Sector Participation in Cyber Security
Sept 20: Naavi had in his recommendation on "National Cyber Security Force" during the Digital Society Day 2007 highlighted the need for private sector participation in national Cyber Security initiatives. A similar view has now been expressed in US as indicated by this article in itbusiness. It is recognized that in developing an effective national cyber security policy,
HIPAA to be Hardened?
The Bill will
IS Officials in Private Sector
Sept 17: A key question has arisen in relation to the appointment of Information Security officials in Private Sector Organizations such as Airlines. It is understood that Jet Airways had appointed a Singapore National as their Chief Security Official and the overwhelming opinion in
At a time when Indian private sector IS network is expected to work along with the Government's security efforts, there is a need for the IT industry to develop norms for the appointment of IS officials which may include a strict background check, Police clearance and restrictions such as the nationality of the individual etc.
Such measures may encourage Government to include private sector in any of the IS policy formulations. Otherwise there will be a Public Sector-Private Sector divide in information sharing and IS co-operation which may not be ideal.
WIFI Security Guidelines
Sept 17: Following a series of terrorist's use of open Wifi networks, it is reported that the Government of India is planning to draft guidelines for the ISPs to ensure security of the Wifi Networks. .... Article in Hindu
Naavi.org had earlier brought to the attention of the public a case of WiFi misuse in Bangalore where a BSNL client had complained that his connection was misused by some of his neighbors and he ran up a bill of RS 1.2 lakhs.
When this complaint was taken to the Police with a request that the case be registered as "Hacking" under ITA 2000, the then officials in charge of the Cyber Crime Police station Bangalore, in their own wisdom refused to accept that the "Unauthorized use of another person's WiFi account" could be considered as "Section 66 offence". In this case the complainant who was himself a software professional had produced sufficient prima-facie evidence also to identify the suspect computers which appeared to belong to employees of prominent IT organizations. However, the concerned officers forced the complainant to seek compromise with BSNL and suffer a financial loss.
We had at that time stated and we once again re-iterate that had a case been booked under Section 66 at that time, the awareness of the public to the needs for securing Wifi connections could have been created. It is necessary for the Police to re visit the unauthorised WiFi access process and prepare themselves to accept complaints at least in future. Such a complaint would have created a public awareness that could possibly have helped public to tighten up the WiFi security of their respective connections. The opportunity was missed.
The security of WiFi has to be managed by the users by setting an appropriate password. This requires proper guidelines from the ISP to the customers. Normally the BSNL staff while installing the facility use some standard passwords (eg 1234) or leave the password blank. Most users never touch this configuration. Hence it would be easy for hackers to hack into Wifi networks even without any sophisticated software to listen and decypher the WiFi activity. We need to first stop this possibility. Then we can consider other measures.
Related Article in TOI-Chennai : Related Article in IE
Metrics for Information Security
Sept 16: The Center for Internet Security plans to release a set of security metrics to help organizations gauge their security posture. The effort involved more than 80 IT security experts from government, academia and business. The metrics help organizations check on how effectively they have deployed security technologies and policies. The CIS metrics are meant to help organizations determine their security posture using a consensus-based measuring stick. In general, the initial set of outcome and process metrics include: mean time between security incidents, percent of systems patched to policy and percent of business applications that had a risk assessment.Other metrics will deal with the percent of systems with anti-virus, the percent of systems configured to approved standards, the mean time it takes to recover from security incidents and the percent of application code that has had either a security assessment, threat model analysis or code review prior to production deployment. Related Article in e-Week
HIPAA emerging as a defacto Privacy Standard
Sept13: HIPAA was enacted basically as a tool for protection of Privacy of health data in US. The act had certain penal provisions which are considered to be capable of being invoked by the regulators only. There has been so far a thinking that Private legal action for HIPAA violation is not in order. However, this view appears to be changing now. One the one hand, after years of soft implementation, HHS has started an aggressive enforcement during the current year. At the same time public are demanding that implementation has to be even more aggressive and are also invoking HIPAA for claiming damages for privacy breach. Related article in injuryboard.com Related Article in lorman.com
Hackers Target BigBang Experiment
Sept 12: Hackers have claimed they have broken into one of the computer networks of the Large Hadron Collider (LHC), the 4.4-billion-pound machine designed to expose secrets of cosmos, raising concerns about security of the world's biggest experiment which is referred to as the "Big Bang Experiment". A group calling itself the 'Greek Security Team' said the hackers mocked the IT used on the project near Geneva and described the technicians handling security as "a bunch of school kids." However, they said they had no intention of disrupting the work of the atom smasher. The incident however exposes the risks faced by such experiments and the dangers if terrorist groups get access to such systems. Report in techherald
Rs 1 Crore lost in Chennai for Phishing
Sept 12: According to a report from Chennai, over Rs 1 crore is reported lost in recent days by Chennaiites due to Phishing Frauds.
Naavi.org considers that Banks in India have been grossly negligent and knowingly practicing unsafe Internet Banking exposing the customers to the Phishing Risks. In one of the cases brought to light which is presently before the Adjudicator of Tamil Nadu, the fraudulently drawn money was credited to another account in the same Bank and withderawn in Cash. The Bank had also used part of the proceeds to adjsut an overdraft account in the name of the beneficiary. Though the beneficiary was a Current Account holder, the Bank expressed its inability to trace the customer indicating violation of the Anti Money Laundering Act. It also had a CCTV footage of the person withdrawing the cash which was not made available to the complainant. Additionally, despite RBI's instructions to Banks to use Digital Signatures for authenticated communication, Banks are avoiding use of Digital Signatures and communicating to customers through undigitally signed e-mails which can be easily spoofed.
Customers of Banks who fall victims to Phishing need to question the contributory negligence on the part of Banks and hold them liable for the loss. We may recall here that in a recent case in Germany the Court has rightly held the Bank liable for Phishing and such a strict stand needs to be taken even in India.
Article in TOI : Related German Court Decision
Anytime Police in Karnataka
Sept 11: Karnataka IG & DGP Sri R.Srikumar has ushered in a new era in Karnataka Police which should gladden the hearts of all those who wished Police will become more and more citizen friendly. Now it is possible for any person to call a toll free number and place register a complaint. It is also possible to send an e-mail and file a complaint without worrying about which Police Station has jurisdiction etc. The most important aspect is that normally public are afraid of approaching the Police because they feel that they themselves become victims if the accused is influential. Most of the time the complaint may also not get registered. Computerised Kiosks in villages are also being planned so that no person need to walk more than 2 kms for filing a compliant.
The new complaint filing system will prevent the SHOs exercising discretion and rejecting complaints against influential persons or where the complainant is not willing to put sufficient wait behind his complaint.
Outsourcing of Criminal Activities to India
Sept 11: India is known as the source of skilled IT manpower. This manpower is not only used for positive work in the IT field but also for "Outsourced Criminal Activities". These activities are in the form of development of Phishing Websites, Development of Pornographic Content etc. Recently, one more activity appears to have been added on to this Outsourced Criminal Activities. It is "Breaking of CAPTCHAs" supposed to be working at breaking of CAPTCHAs at a meagre rate of US $ 2 to $5 per thousand.
(CAPTCHA stands for
Experts feel that there are One such service provider is
It must be stated that all the persons working for such projects are actually committing an offence both under Indian laws as well as foreign laws. Companies engaged in such services could easily be hauled up both under ITA 2000 as well as IPC. ..More
Women techie Booked for Cyber Crime
Sept 11: E Article in economictimes
Parliamentary Committee Directs Banks to Take steps to tackle Cyber Crimes
Sept 11: The parliamentary standing committee on personnel, public grievances, law and justice on Wednesday asked public sector banks to devise a special monitoring system to check cyber crimes and strengthen the present vigilance system to curtail corruption. The committee observed that the present banking set up was not equipped to tackle cyber crimes, which are quite familiar at the international level. The committee was concerned about effects of cyber crimes on the Indian banking system.
These recommendations were revealed by the committee during its interaction with the top brass of Bank of India, Dena Bank, Central Bank of India, Bank of Baroda, Union Bank of India and Bank of Maharashtra. The committee at length discussed various other measures to contain corruption and strengthen vigilance mechanism to detect frauds. It is expected to prepare a report on these issues by November.
It may be recalled that Naavi.org has recently pointed out that Banks may be held liable for "Phishing" if they are negligent. RBI has many times indicated to Banks to use secure methods such as use of digital signatures for communication with customers which Banks are conveniently ignoring. Sooner or later the judiciary will come down heavily on Banks for this knowing omission of a security provision mandated in law. The statement from the Parliamentary committee is another reminder to the Bankers.
Article in Financial Express
Company fined US $100,000 for not encrypting data
Sept 10: Seattle-based Providence Health & Services agreed to pay $100,000 to settle what HHS described as "potential violations" of the Health Insurance Portability and Accountability Act's requirements arising out of loss of laptops and media devices containing unencrypted information. On several occasions in 2005 and 2006, equipment was reported missing after workers took it out of the office with them. Unencrypted medical records of more than 386,000 Providence patients were lost in the process. Under the agreed corrective action plan (CAP) Providence has to revamp its security policies to include physical protections for portable devices and for the off-site transport and storage of backup media.
The security action items that Providence Health & Services agreed to include revision of policies and procedures for safeguarding patient data while it is stored at or being transported to off-site facilities, training all workers on security policies and submit proof to HHS that the training has been completed, updating policies as needed, but at least on an annual basis, ensuring that a security risk assessment and management plan and a data breach notification policy are in place and conducting reviews that include unannounced audits, spot checks and site visits at company facilities.
Details in computerworld.com
Open Source initiative adopted in e-Governance
Sept 8: In a significant development worth taking notice, the Government of India has taken steps to adopt Open Source in e-Governance applications. Bharat Operating Systems Solutions (BOSS) Linux Software Version 3.0 developed by NRCFOSS (National Resource Centre for Free/Open Source Software) through DIT initiative has been adopted by DIT, New Delhi. The Centre for Development of Advanced Computing (C-DAC) has signed a Memorandum of Understanding (MOU) with National Informatics Center (NIC), on 04.09.2008, to implement BOSS Linux on e-Governance applications developed and maintained by NIC.
AP Police being Impersonated by Cyber Fraudsters
Sept 3: Recently press in India carried reports about a sting operation in USA where an Indian software worker had been reportedly trapped by a private sting operator and charged for trying to indulge in sexual inducement of a minor girl in a chat room. In India sting operations are normally undertaken by the Press and not by Police. Police do undertake intelligence operations trapping criminals such as terrorists but rarely they have been found to be active in Cyber Space.
However it appears that now there is a group of persons in Hyderabad posing themselves as Police officers conducting sting operations trying to trap persons indulging in sexually overloaded conversations on the Chat rooms. While Naavi.org has been recommending some action against serious offenders such as s_bhabhi.com owners and the Police have turned a deaf ear to the same, it was surprising to come across the incident from Hyderabad where one Mr Chandra supposedly from Cyber Department was threatening a software employer that he had indulged in obscene chat conversations and action will be taken against him. He has also indicated the name of a police officer by name Veena Devi of the Hayathnagar Police station as the Cyber Inspector in charge of the complaint and advised the person to meet her.
Naavi.org considers this as a fraudulent activity even if some lower level police officers are involved in the racket. We request the higher officers of AP Police to investigate the matter and prevent such harassment of the general public.
We had recently come across an incident in another city where a software professional had to part with a million rupees to get protect his minor son being charged of a Section 67 offence. Hopefully the Hyderabad incident does not reflect a similar attempt of some police officers trying to extract money from unsuspecting public who might or might not have really erred. Related Article in Techgoss.com Related Article in Deccan Chronicle-Bangalore-5/9/08
A New Kind of Fraud?
Sept 2: Recently, Naavi.org has received information about a new kind of fraud from Chennai. This fraud targets new IT companies which ae eagerly looking for software projects. This is a case of suspected fraud where a consultant has promised a Company about an overseas project, faked e-mail correspondence and enjoyed for himself and his group of friends nearly six months of salary and consultancy charges.
Naavi.org invites companies to report if they have faced similar instances. They are also advised to be on guard with such fake project vendors and ensure that they check the veracity of claims made by consultants particularly when the promised project is from abroad and it is difficult to establish its genuineness. ..Details
Hyderabad Police Charge a Techie under Section 66
Hyderabad police have filed a case under Section 66 of ITA 2000 on charges of having stolen a software of the company and trying to sell the same. Kunapareddy Sita Venkata Ravi Kumar alias Ravi, 33, who had worked as a software engineer for Tecra Systems, allegedly stole products and custom applications developed for various clients of Tecra Systems by copying them into his personal laptop.
On a complaint lodged by Krishna Prasad Gondi, managing director of Tecra Systems Private Limited, a case was registered (Crime number 194/2008) under sections 420, 406, 380 of IPC and sections 65, 66 of the IT Act on August 19. ..More in TOI
SC stays proceedings against eBay
August 26: The Supreme Court today (August 25) stayed the proceedings against auction portal eBay India and its chief Avinash Bajaj for allegedly permitting sale of an MMS clip showing two school students from a Delhi school indulging in a sexual act. A bench headed by Justice Altamas Kabir, while issuing notice to the Delhi government, stayed the proceedings under Sections 67 and 85 of the Information Technology Act, 2000.
The petitioner has contended that Section 67 of the Act, does not define the term obscenity and thus liability cannot be fixed on him for merely listing of the 2.37-minute clip video clip even if it was obscene. “Even assuming that video clip is obscene, mere ‘listing’ cannot be obscene for the purpose of Section 67 of the Act merely because the video clip may be obscene,” he said while seeking quashing of all the proceedings against him. Report in apakistannews.com
Company Law to Amend ITA 2000?
August 26: It is reported that Company law is proposed to be amended to enable e-mail to be considered as an evidence. While the objective is good, it must be pointed out that there is no need for such amendment since the law already recognizes e-mail being an electronic document as evidence. There is also clarity on the fact that a digitally signed e-mail is admitted as evidence against the signer without any further proof while an undigitally signed e-mail may be admitted as evidence but needs to be proved as to data integrity and origination.
It is preferable if multiple legislations are not allowed to tamper with the law and whatever clarifications are required it should be attempted with ITA 2000 alone.
Report in ET
PR Syndicate honours 'Cyber Law Guru of India', Na.Vijayashankar
PR Syndicate, (an organization of Corporate PR Professionals in Chennai,) celebrated its First Anniversary on 20th January 2007 at Russian Cultural Centre. On the occassion, "Award of Excellence in Public Life" was presented to 'Cyber Law Guru of India' Na.Vijayashankar...More
Naavi's latest book "Cyber Laws Demystified" was soft launched at the Nimhans Convention Center during the Indian Police Congress. The book is a comprehensive coverage on Cyber Laws both ITA-2000 as well as IPR and other issues.
Structured into 24 chapters it also covers the proposed amendments to ITA-2000 in detail as an appendix. A copy of the Information Technology Act 2000 is also appended to the book.
The book also has several individual chapters on the legal issues of Cyber Banking, Cyber Advertising, Cyber Taxation and Cyber Terrorism.
The book is priced at Rs 750/-.
For Enquiries and Bulk orders click here. :
What is Naavi.org?
Naavi.org is India's premier portal on Cyber Law. It is not only an information portal containing information on several aspects concerning Information Technology Law in India but also represents the focal point of several services around Cyber Law carried on by Naavi.
The first such service is the Cyber Law College a virtual Cyber Law education center in India which provides various courses on Cyber Law.
The second key service is the Cyber Evidence Archival center which provides a key service to help administration of justice in Cyber Crime cases.
The third key service is the domain name look-alikes dispute resolution service which provides a unique solution for websites with similar looking domain names to co exist.
The fourth key service is the online mediation and arbitration service another unique global service.
The fifth key service is the CyLawCom service which represents the Cyber Law Compliance related education, audit and implementation assistance service.
Additionally, Naavi.org is in the process of development of four sub organizations namely the Digital Society Foundation, Naavi.net, International Cyber Law Research Center and Cyber Crime Complaints and Resolution Assistance Center. Digital Society Foundation is a Trust formed with the objective of representing the voice of Netizens in various fora and work like an NGO to protect their interests. Naavi.net is meant to develop a collaborative distributed network of LPO consultants. International Cyber Law Research Center would support research in Cyber Laws and Cyber Crime Complaints and Resolution Assistance Center would try to provide some support to victims of Cyber Crimes.
Together, Naavi.org represents a "Cyber Law Vision" that goes beyond being a mere portal. Started in 1997, when the concept of Cyber Law was new across the globe, consistent efforts over the last decade has brought Naavi.org to the beginning of "Phase 2" in which the services are ready to reach out to a larger section. This is recognized as the phase of collaborations and growth by association. Naavi.org will therefore be entering into a series of associations to develop each dimension of its vision with an appropriate partner. Individuals, Organizations and Commercial houses which have synergistic relationship with the activities of Naavi.org are welcome to join hands in commercial and non commercial projects of Naavi.org.
Add Your Comments Here
If you would like to know more about Naavi, the information is available here.
For Any Payments to be made to Naavi online : Naavi_s Payment Center