Make Your Company HIPAA-HITECH Compliant
Train Your Employees for HIPAA Awareness ::Conduct HIPAA Compliance Audit
Indian Information Security Framework-IISF 309
Recent Articles on ITA Amendment Act : Copy of ITA 2008 : Comparison: TA 2000 Vs ITA 2008
Beware of Conficker Frauds
March 31: While the Conficker (A malicious virus which is said to have already infected over 10 million Windows PC s across the world), is creating hysteria around April 1 when it is programmed to strike first, Netizens should be aware of some fraudsters who are trying to sell bogus products in the name of "Conficker Removal Tools". One such fraudster has opened a website by the name of remove-conficker.org. Most such sites actually contain their own viruses which will be injected to the visitor's computer though they may state that they have actually found out many viruses. Refer article at f-secure
Defending against Cyber wars
March 31: Canadian researchers have announced having uncovered an extensive Chinese spying operation which involved the hacking of over 1000 computers in 103 computers. It is known from some time that China is extensively building itself a Cyber War capability both through planting of Trojans and through shipping of doctored Hardware. Since India is one of the likely targets of such an attack, there is a need to secure Indian cyber space against attacks from China.
Naavi.org has already raised the issue of risks in BSNL using imported broadband modems as well as mobiles from China. There was also a news paper report about a possible banning of import of Chinese made mobiles without distinct IMEI numbers. (implementation status unknown).
Under these circumstances it is interesting to note that BJP in its IT Vision document has indicated that it intends to set up a Digital Security Center for National Security which may include Counter Cyber Terrorism and Cyber War preparation as part of the agenda. Information security analysts need to appreciate this far reaching vision and contribute towards development of a private sector partnership. Related article in vunet.com Article in timesonline.com
Higher Levels of Encryption to be allowed in India
The DIT guidelines on encryption in India had imposed a restriction on encryption standards to be used by ISPs at 40 bit level. ITA 2008 had for the first time provided some clarity on the issue of prescribing encryption standards by the introduction of Section 84A. This section empowers the Central Government that it may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. It is reported that the DIT has now taken a decision in consultation with industry representatives that the encryption levels upto 256 bits would be permitted in communications. Refer article
Problem of Stolen Mobiles
While speaking on the new ITA 2008 at a Human Rights conference in Mysore on 2nd February, I mentioned about the new provisions of ITA 2008 and in particular, section 67B which can be applied for purchase of stolen mobiles. When I highlighted the possibility of misuse of this provision, one police officer who was present in the conference felt hurt that Police officers are being blamed for possible harassment of common men. While I respect the views of the honest officer, one cannot wish away the possibility of unscrupulous elements taking advantage of the ignorance of law.
The solution suggested was to set up a "Netizen's Protection Agency" first as a private sector initiative and then press for the formation of the Netizen's Rights Commission. This article which narrates the experiences of a mobile purchaser in Bangalore highlights the problem though the Police here might have used the normal provisions of "theft" rather than Section 67B of ITA 2008 to harass a purchaser of a mobile phone.
At the same time it is necessary for the public to be aware of the new law and act in compliance....Article in Bangalore Mirror
Credit Card Companies shifting their legal liabilities to Consumers
Whenever a Credit Card is lost or its information stolen and misused, the card owner raises a dispute with the card issuing Bank disowning the liability. However, many Banks bully their customer stating that their liability comes only after the loss of a Credit Card is reported to them. Now Tata AIG has come up with an insurance scheme stating that they would insure losses for mis-use upto 12 hours before the loss of the Card is reported. Some Credit Card companies are also asking their customers to take insurance to cover such losses.
Consumers must however note that any payment of a credit card where the request for payment is "Forged" cannot create a valid charge on the customer. In cases where the card is stolen and encashed in a physical store, the signature of the customer on the charge slip would have been forged and hence there is absolutely no doubt that in such cases the liability to take the loss arises only for the Bank and no body else. In cases where the CVV number is stolen the Bank may allege that the customer was negligent. However, even this argument is not considered sufficient to absolve the Bank of its liability since it is an established fact of law that "Forgery" does not constitute a mandate on the Bank. The only exception would be when the customer is directly involved in the fraud or is estopped from claiming that the transaction was not made by him.
Customers of the bank should therefore not give in to the demands of the Credit Card companies to charge them for the insurance nor they need to take up the insurance themselves under schemes suggested by Tata-AIG. (See enclosed copy of e-mail) : Related Article in bloggersnews.net
The Role of Adjudicators in ITA 2008
March 23: One of the strengths of ITA 2000 was the introduction of a system of adjudication where a victim of a Cyber Crime could seek compensation by way of damages through a system outside the usual civil court system. ...With the expansion of the powers of the adjudicators in ITA 2008, it is also necessary for adjudicators being ready to face the challenges to their powers conferred by the Act for the benefit of the society. ...Some of the points that an adjudicator may be forced to consider during any adjudication is a challenge to his jurisdiction. As is the practice in most litigation, the strategy of some defense counsel is always to challenge the jurisdiction of the authority so that the dispute is pushed into the traditional Courts where the inherent delays can give a relief to the accused. .. More
Will the Government Consult Netizens?
March 23: The Government of India is now in the process of framing rules under ITA 2008. As a part of the exercise, rules are to be framed under different sections.
Of these, rules under Sections 43A, 67C and 79 have been identified as affecting the industry and the Government has circulated a discussion paper with Nasscom and DSCI. (Refer Rules to be Framed under ITA 2008 by Central Government).
Additionally there is a need for rules to be framed under Sections 69, 69A and 69 B which have serious implications on the Digital Society. It will also impact the IT Companies and Nasscom and DSCI should also be concerned with these rules. But more importantly, the Netizens who are directly affected by these rules are no where being seen as consulted directly or through their representative bodies.
We have already discussed some of the issues under this section in our earlier articles on "Privacy" and called upon a system where Netizen's voices are heard through a set up such as "Netizen's Protection Agency" or "Netizen's Rights Commission".
It is now the time to remind the Government to incorporate these suggestions while framing the rules... More
Suggested Information Security Framework for ITA 2008 Compliance
March 21: The requirements of ion 43A, 67C and 79 of ITA 2008 can be met with adoption of a security framework referred to as Indian Information Security Framework (IISF-309) which is built under the following principles.
a) The framework is flexible enough for users in different user segment with different operational sizes to adopt practices which are appropriate and affordable. It does not mandate any specific security standard such as ISO 27001 or any other.
b) It incorporates the best practices in current usage but makes fine changes as required by ITA 2008.
c) It gives value for "Disclosure" and "Accountability". Accordingly, it recommends a security policy to be announced by the organization and that a "Compliance officer" to be designated.
Ujvala Consultants Pvt Ltd offers to conduct CyLawCom audits based on the following standard and provide Certification of compliance. Ujvala would also invite other auditors to adopt the standard and obtain Co-Certification with Ujvala. Detailed Specifications : Application of IISF-309 for Share Broking firms
Rules to be Framed under ITA 2008 by Central Government
March 21: ITA 2008 designated "Appropriate Government" to make suitable rules and regulations under different sections. It has also indicated under Sections 87 and 90 specific powers of the Central and State Governments to frame rules. Under ITA 2000 there are already certain rules which automatically get carried over to ITA 2008 regime. Some may need changes and some may have to be drafted for the first time.
Presently, the Central Government is in the process of consulting industry bodies to take their views before framing rules under Sections 43A, 67C and Section 79.
This note tries to focus attention on some of the rules that are required to be framed by Central Government... More : Comments of Naavi
A Credit Card information Breach through a Delhi Call Center
A sting operation seems to have unearthed a credit card information theft by a person in Delhi who has reportedly contracted for and supplied valid credit card details of UK customers often with CVV numbers at a cost of $ 10 per data.
A product sold by Symantec via a call center appear to have caused this data breach since three of the victims are linked to such purchase, though the exact details of how the software sale is linked to the fraud is yet to be known.
An agent of Symantec, Mr Saurabh Sachar has reportedly been filmed accepting the money from the undercover agents and later sent the details through e-mail.
It is possible that the data might have been stolen from several call centers.
The incident highlights the need for quick notification of the date of effect of ITA 2008 and also indicates how "Intermediaries" through their negligence cause data loss. Article in bbc.co.uk
New Guidelines for Credit Card industry
In order to assist the Credit Card handling companies, a new set of compliance guidelines have been issued by VISA under the PCI Security Standards.
The first version of the security standard, which applies to all entities that accept credit and debit card payments, went into effect nearly four years ago. The present guidelines may provide a template and make it easy for companies to start their compliance programme. Related Article in computerworld.com
BJP Promises IT revolution in India
BJP has unveiled its IT Vision document which holds many good things for the IT industry. Some of the laudable statements contained in the vision document include development of Comptuer hardware industry, Encouragement of Open Source Software, increasing the mobile penetration, increasing the broad band access to Internet, e-Justice and other e-Governance schemes, issue of multi purpose Citizen ID card, Digitization of traditional heritage records, e-health care, Indian language computing, e-education, cheap laptops, a National Cyber Security plan, Agency for Cyber Warfare, Cyber Counter terrorism, use of IT for transparency in Governance etc. One of the most interesting concepts is that of "Digital Sovereignty".
There is also a mention of "RTI" being transformed to "DTI" (Duty to Inform Citizens). Unrestricted VOIP telephony and unlimited broadband at Rs 200/- per month etc are also on the cards.20 IT enabled jobs are envisaged in each of 6 lakh villages leading to creation of 1.2 crore new jobs in IT sector alone. This will also promote e-education and other support services.
There are interesting projects for use of IT in rural area and it appears that the vision document promises exciting prospects for the IT industry in India.
In the event of BJP coming to power, the Vision document alone has the potential to drive away recession in IT sector. Stock Markets are also likely to boom and we can again dream the vision of Indian becoming a global IT super power. Detailed Article
A copy of the Vision Document is available here. naavi.org invites comments if any on the document.
Information Security for IPL Games
March 11: In what must be considered as an alarming development, it is reported that some computers have been stolen from the custody of the Joint Commissioner of Police in Delhi who was in charge of the security of the next year’s Common wealth Games.
While this incident may be salvaged since there is some more time for the event, the information security agencies must now focus on the IPL (Indian Premier League which is a major international cricket tournament starting next month) where also security has become the focus. There must be some computer or computers in which details of where the team members are staying , how they travel etc are being stored. Now we must recognize that these systems become “Critical Infrastructure Systems” whose security may be of interest to the nation. ..More
Major Security Breach in Delhi
March 11: In what must be considered as a Cyber Terrorism threat, some computers have been stolen from the office of the Joint Commissioner of Delhi Police. The computers are said to contain details of security plans for the forthcoming commonwealth games. In the current context where the terrorist's threat to speortsmen are a high probability, this information leak must be considered as a potential cyber terrorism threat big enough to think of a total revamp of the security plans. The thiefs who stole the computer must be if caught tried for Cyber Terrorism as an attempt to breach the security of national security related information. The authorities should also have thought of considering these computers as "Critical Information Infrastructure" and treated them as "Protected Systems".
In the light of this development, IPL should consider their computers which may hold details of the security related information as a top security item and guard it accordingly. The Government may also think of declaring the system as a protected system. Related Article in IE
SMS Spam is an Offence under ITA 2008
March 11: Spam SMS messages are often sent through websites or using software which provide for indicating any number as the sender's number. Such messages now constitute an offence under ITA 2000 as amended by ITA 2008. Even before the amendment, to the extent spam mails clogged the utility enjoyed by the user of a mobile constituted an offence under Section 66. Now it has been further clarified under Section 66A (c). Related Article in Deccan Chronicle
Health IT Bill Becomes a Law in US
March 6: US President Obama signed the Health Information Technology for Economic and Clinical Health Act (HITECH), as part of The American Economic Recovery and Reinvestment Act of 2009. The act aims to improve healthcare delivery to patients by reducing medical errors, driving down costs, and giving patients greater information about, and control over, their medical records. The new law brings together a wide range of issues and stakeholders in healthcare, information technology, and the government to jump-start widespread adoption of electronic health records (EHR). The law is expected to supplement the HIPAA. The HHS is also expected to come up with annual guideline on safeguards which are likely to be the benchmark for the industry. "Wilful neglect" by covered entities under HIPAA is expected to attract penalties from HHS.
As a result of this law, Business Associates will assume direct liability for civil and criminal liabilities under HIPAA instead of through a contractual indemnity. The need for HIPAA Compliance by business associates therefore assumes greater necessity today. Complete details about the appropriate safeguards to be suggested are awaited. Related Article : Article on Stimulus Bill
Fraudsters now ride on Satyam Issue
March 3: An interesting e-mail is now under circulation in the name of the wife of the brother of Mr Ramalinga Raju seeking financial help following their troubles.
The message reads:
The challenge of Savitabhabhi
March 1: Sometime back a reward was announced by techgoss.com for anybody who could find out the persons behind the website. Now techgoss.com has increased the reward to Rs 22000/- for the information. For details visit here
Naavi.org was the first to takeup the issue of savitabhabhi.com. Unfortunately, the Police in Bangalore refused to recognize the cognizable crime represented by the site. The CERT-In also refused to take action. Then techgoss came in with its reward option. All through these days savitabhabhi.com continued to increase its earnings. Several young Indians continue to be spoiled. Atleast one parent in Bangalore suffered a loss of Rs 1 million on account of Savitabhabhi.com.
It is a shame that Indian Government, Police and the so called ethical hacking community have not been able to identify the people behind the running of the website. Let us hope if not for the value of the reward, for the sake of honour and integrity of the law enforcement and the ethical hacking community, some body will reveal the perpetrators of a cyber offence and bring them to book.
PR Syndicate honours 'Cyber Law Guru of India', Na.Vijayashankar
PR Syndicate, (an organization of Corporate PR Professionals in Chennai,) celebrated its First Anniversary on 20th January 2007 at Russian Cultural Centre. On the occasion, "Award of Excellence in Public Life" was presented to 'Cyber Law Guru of India' Na.Vijayashankar...More
Naavi's latest book "Cyber Laws Demystified" was soft launched at the Nimhans Convention Center during the Indian Police Congress. The book is a comprehensive coverage on Cyber Laws both ITA-2000 as well as IPR and other issues.
Structured into 24 chapters it also covers the proposed amendments to ITA-2000 in detail as an appendix. A copy of the Information Technology Act 2000 is also appended to the book.
The book also has several individual chapters on the legal issues of Cyber Banking, Cyber Advertising, Cyber Taxation and Cyber Terrorism.
The book is priced at Rs 750/-.
For Enquiries and Bulk orders click here. :
What is Naavi.org?
Naavi.org is India's premier portal on Cyber Law. It is not only an information portal containing information on several aspects concerning Information Technology Law in India but also represents the focal point of several services around Cyber Law carried on by Naavi.
The first such service is the Cyber Law College a virtual Cyber Law education center in India which provides various courses on Cyber Law.
The second key service is the Cyber Evidence Archival center which provides a key service to help administration of justice in Cyber Crime cases.
The third key service is the domain name look-alikes dispute resolution service which provides a unique solution for websites with similar looking domain names to co exist.
The fourth key service is the online mediation and arbitration service another unique global service.
The fifth key service is the CyLawCom service which represents the Cyber Law Compliance related education, audit and implementation assistance service.
Additionally, Naavi.org is in the process of development of four sub organizations namely the Digital Society Foundation, Naavi.net, International Cyber Law Research Center and Cyber Crime Complaints and Resolution Assistance Center. Digital Society Foundation is a Trust formed with the objective of representing the voice of Netizens in various fora and work like an NGO to protect their interests. Naavi.net is meant to develop a collaborative distributed network of LPO consultants. International Cyber Law Research Center would support research in Cyber Laws and Cyber Crime Complaints and Resolution Assistance Center would try to provide some support to victims of Cyber Crimes.
Together, Naavi.org represents a "Cyber Law Vision" that goes beyond being a mere portal. Started in 1997, when the concept of Cyber Law was new across the globe, consistent efforts over the last decade has brought Naavi.org to the beginning of "Phase 2" in which the services are ready to reach out to a larger section. This is recognized as the phase of collaborations and growth by association. Naavi.org will therefore be entering into a series of associations to develop each dimension of its vision with an appropriate partner. Individuals, Organizations and Commercial houses which have synergistic relationship with the activities of Naavi.org are welcome to join hands in commercial and non commercial projects of Naavi.org.
Add Your Comments Here
If you would like to know more about Naavi, the information is available here.
For Any Payments to be made to Naavi online : Naavi_s Payment Center