Cyber Security Strategy with focus on DDoS & APT’s

Evaluate Your Cyber Security Strategy with focus on DDoS & APT’s

The Cyber Law Consulting Team(CLC) has observed cyber threats becoming more advanced as hackers seek new ways to breach information security or disrupt operations. Distributed Denial of Service (DDoS) attacks and Advanced Persistent Threats (APTs) are a big concern. Organizations must evaluate and develop their IT security controls to protect themselves from these sophisticated and unpredictable cyber-attacks.

DDoS Attacks and DoS Attacks

In a Denial of Service attack, hackers try to disrupt a website, network or machine. The goal may be solely to prevent people from connecting to the website that is being attacked, but a Distributed Denial of Service (DDoS) attack is often used to distract a business so attackers can conduct other attacks behind the scenes while the business is focused on getting its website back up. Many times, hackers conduct a DDoS test-run on an organization to see whether it is susceptible to DDoS attacks. If the hackers discover they can take down the targeted website, the hackers then return to launch a full-scale DDoS attack that could take a site down for days or weeks. Often DDoS attacks coincide with other malicious activity. For example, in the banking industry attackers may send a DDoS attack to a bank. Once the website is down and the IT team is working to get it back up and running, the cyber attackers are making unauthorized wire transfers from banking customer accounts into the attackers’ accounts overseas.

The CLC team has seen many DDOS Attacks using DNS amplification techniques. This occurs when a botnet is not large enough to launch an effective cyber-attack, so botnets send out a relatively small amount of traffic to other computers that in turn send more traffic toward the actual target. For the victim, such attacks can saturate networks very easily and cripple Web servers so they can’t function. In order to combat DDoS attacks, an organization must understand how exposed it is to an attack and how well it can respond to thwart an attack. A CLC Denial-of-Service Preparedness Assessment will pinpoint how prepared an organization is to mitigate a DDoS attack.

Advanced Persistent Threats (APTs)

APT: Advanced, Persistent, Threat. An Advanced Persistent Threat refers to a group that persistently attacks a target in order to obtain an objective, which could be to obtain information or to hinder the target’s activity. Organizations should discover how well protected they are from a persistent and dedicated attacker, or cyber threat actor, who wants something from it. Consider what attackers might want such as intellectual property, commercial information, personal data and customer data. Consider the IT security controls you need to protect such data. APTs are a big threat to an organization’s intellectual property, financial assets and reputation.

CLC constantly monitors cyber threats and sees millions of information security events worldwide every day. Although malware attackers have become more sophisticated, there are several steps organizations can take to defend themselves, detect attacks and respond fully. Tactics for preparing a security strategy include the following:

• Complete thorough staff training: educate the end user
• Regularly assess preparedness for cyber-attacks
• Look at what is “usual” security activity so it’s easier to spot “unusual” activity
• Create an incident response plan just in case the worst situation happens

It’s important to frequently reassess information security strategies in light of DDoS attacks and Advanced Persistent Threats (APTs) to build expertise and implement robust defense strategies. Contact an Cyber Law Consulting Consultant 

WordPress Blogging Site Vulnerabilities

WordPress Vulnerabilities

WordPress is an open-source blogging platform and content management system (CMS). Since its inception in 2003, WordPress has become widely used and is very active. It is made up of more than 200,000 lines of code (written mostly in the PHP scripting language) and is used by more than 64 million websites on the Internet. Although WordPress is considered a mature platform, regular updates address serious security vulnerabilities that may be used by an attacker targeting a WordPress site.

WordPress vulnerabilities are even more of a threat when combined with recent large-scale brute-force attacks targeting WordPress websites. These threats are important considerations if you host a website on wordpress.com or use the platform on a different host. If you use WordPress, have you taken steps to secure your installation? Basic security precautions, a strong password policy, and a regular update schedule can have multiple benefits:

• Helps ensure your system isn’t compromised.
• Minimizes damage if a compromise does occur.
• Prevents your server from becoming part of a botnet used to launch further scans or attacks.

Vulnerabilities may be in WordPress core and plugins

Attackers commonly abuse third-party WordPress plugins containing vulnerabilities, as they may introduce additional security flaws into a WordPress installation. During the last weeks of April 2013, vulnerabilities affecting the WP Super Cache and W3TC WordPress plugins (related to caching and website optimization) gained attention. Successful exploitation of these critical flaws may allow an attacker to execute arbitrary PHP code on a vulnerable system. Updated versions of both plugins have been released and should be applied as soon as possible. Users should vet WordPress plugins carefully, and completely remove unwanted or unnecessary plugins.

Several exploits targeting WordPress are also included in the Metasploit exploitation framework. The existence of these exploit modules makes it easier for an unskilled attacker to launch attacks and underscores the importance of keeping WordPress up to date. Even without the use of plugins, the WordPress core has suffered from serious vulnerabilities. The following security vulnerabilities have been addressed by recent WordPress updates:

WordPress 3.5.1:

• Server-side request forgery (SSRF) and remote port scanning via pingbacks.
• Cross-site scripting (XSS) via shortcodes and post content.
• Cross-site scripting (XSS) in the external library Plupload.

WordPress 3.4.2:

• Fix unfiltered HTML capabilities in multisite.
• Fix possible privilege escalation in the Atom Publishing Protocol endpoint.
• Allow operations on network plugins only through the network admin.
• Hardening: Simplify error messages when uploads fail.
• Hardening: Validate a parameter passed to wp_get_object_terms().

WordPress 3.4.1:

• Privilege Escalation/XSS. Critical. Administrators and editors in multisite were accidentally allowed to use unfiltered_html for 3.4.0.
• CSRF. Additional CSRF protection in the customizer.
• Information Disclosure: Disclosure of post contents to authors and contributors (such as private or draft posts).
• Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information.
• Hardening: Require a child theme to be activated with its intended parent only.

WordPress 3.3.3:

• Cross-Site Scripting: Fix persistent XSS via editable slug fields. (Also fixed in 3.4.0.)
• Hardening: Deprecate wp_explain_nonce(), which could reveal unnecessary information. (Also fixed in 3.4.1.)
• Hardening: Require a child theme to be activated with its intended parent only. (Also fixed in 3.4.1.)
• Information Disclosure: Restrict some post IDs when dealing with media uploading, which could leak some info (or attach media to a post the user doesn’t have privileges to). (Also fixed in 3.4.0.)
• Information Disclosure: Hide post excerpts when the user cannot read the whole post (e.g., a contributor can’t read someone else’s draft beyond the title). (Also fixed in 3.4.0.)
• XSS Hardening: Escape the output of get_pagenum_link(). Note that this function was previously considered to have returned unescaped data, so this was not a vulnerability, but an enhancement. (Also fixed in 3.4.0.)
• CSRF Hardening: Prevent unfiltered HTML in comments when there is potential for clickjacking (i.e., when the front-end of the site is loaded in a frame). (Also fixed in 3.4.0.)

WordPress 3.3.2:

• Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
• Cross-site scripting vulnerability when making URLs clickable.
• Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

WordPress 3.3.1:

• Cross-site scripting (XSS).

To limit exposure to attacks, updated versions of WordPress should be tested and deployed as soon as possible. Without additional security controls, unpatched flaws may affect any WordPress site, regardless of which plugins may be installed.

Updating is important

A major WordPress version update is usually available every six months. Third-party plugins may be updated at any time. WordPress has the option to update itself automatically, but this functionality may not always work. It may fail for a variety of reasons, such as plugin or database issues. Many organizations opt-out of automatic updates and manually deploy updated versions to perform additional testing. This patch and update schedule is virtually continuous and difficult to maintain, but it is necessary to maintain an acceptable level of security.

Brute-force attacks

In April 2013, a large brute-force campaign targeting WordPress websites was observed. It is reported that a botnet consisting of more than 90,000 servers is being used to scan the Internet for WordPress websites and is attempting to log in to the Administrator’s account using a list of commonly used passwords. Servers using simple passwords such as “123456″ or “qwerty” would quickly fall victim to this attack. If an attacker successfully logs in, a backdoor is installed for future use. Compromised websites may then be used for other activities, such as scanning for more WordPress sites and participating in distributed denial of service (DDoS) attacks.

To protect against brute force attacks, use long passwords that include a combination of uppercase and lowercase characters as well as symbols (#$%^&@), and rename the Administrator’s account to something other than “admin”. By default, WordPress does not limit incorrect logins, which allows an attacker to make a large number of attempts in rapid succession. This ability increases the odds that an attacker will correctly guess the password. Several WordPress plugins limit the number of login attempts, but plugins themselves generally increase the attack surface an attacker has at his or her disposal, and may inadvertently allow access via other means.

WordPress users should follow the steps outlined in the Hardening WordPress guide for additional protections. Securing access to /wp-admin/ (Administrator’s login area), using alternate database prefixes, securing wp-config.php and disabling file editing are recommended to mitigate effects of a potential attack.

Many hosting providers may supply customers with pre-installed versions of WordPress or similar software, which can quickly become outdated. Given the potential for harm in using outdated software, look for WordPress exploits to become more of an issue in the future, especially for shared hosting providers.

CYBER CRIME STATISTICS FOR 2013 & 2020

Every second at least 12 internet users in the WORLD fall victim to cyber criminals and the number keeps increasing every year, it has been revealed. A surge in viruses targeting mobile apps is a new disturbing trend in cyber-attacks. 

A significant number attacks – 19 percent – target financial assets, while the number of cybercrimes organized with the purpose of mere mischief-making is now extremely low. 

According to one of the recent surveys by computer security firm Kaspersky Labs and B2B International, 62 percent of respondents had at least one incident of cybercriminals attempting to steal financial information. 

The convenience of online shopping and banking services are among the major risk factors for end users

According to experts at RSA security, cybercrime continues to improve its techniques and the way it organizes and targets victims. The RSA Anti-Fraud Command Center (AFCC) has developed the following list of the top cybercrime trends it expects to see evolve:

• As the world goes mobile, cybercrime will follow
• The privatization of banking, trojans and other malware
• Hacktivism and the ever-targeted enterprise
• Account takeover and increased use of manually-assisted cyber attacks
• Cybercriminals will leverage Big Data principles to increase the effectiveness of attacks

Cybercrime activities are globally diffused, financially-driven acts. Such computer-related fraud is prevalent, and makes up around one third of acts around the world.

Another conspicuous portion of cybercrime acts are represented by computer content, including child pornography, content related to terrorism offenses, and piracy. Another significant portion of crime relates to acts against confidentiality, integrity and accessibility of computer systems. That includes illegal access to a computer system, which accounts for another one third of all acts.

The McAfee security firm estimated that cybercrime and cyber espionage are costing the US economy $100 billion per year, and the global impact is nearly $300 billion annually. Considering that the World Bank estimated that global GDP was about $70,000 billion in 2011, the overall impact of cybercrime is 0.04 percent of global income, an amazing figure.

Cyber criminals are improving ways to be non-traceable and to be more resistant in their malicious structures to take down operations by law enforcement. Hackers are improving their infrastructure, for example adopting peer-to-peer protocols, or hiding command and control infrastructures in anonymizing environments, such as the Tor Network.

What’s the end user impact of cybercrime? What’s the perception of the risks related to principal cyber threats?

The Symantec security firm has just released the 2013 Norton Report, the annual research study which examines the consumers’ online behaviors, the dangers and financial cost of cyber crime.

Also, their data confirms the concerning results of other analysis. Cyber criminal activities and related profit are in constant growth, the cost per cybercrime victim is up 50 percent, and the global price tag of consumer cyber crime is $113 billion annually. That’s a result of the concerns security analysts consider. It also effects the actual global economic scenario and the difficulties faced by enterprises.

This data was reported in the Norton Report, a document considered one of the world’s “largest consumer cyber crime studies, based on self-reported experiences of more than 13,000 adults across 24 countries, aimed at understanding how cybercrime affects consumers, and how the adoption and evolution of new technologies impacts consumers’ security.”

CYBER CRIME SCENARIO BY 2020

What will the cybercrime landscape look like in 2020? It’s difficult to predict the evolution of such a complex ecosystem. Technologies evolve at impressive speed, and with them, opportunities for cyber crime.

The European Cybercrime Centre (EC3) at Europol, and the International Cyber Security Protection Alliance (ICSPA) presented in a study titled Project 2020: Scenarios for the Future of Cybercrime – White Paper for Decision Makers, an overall predictable scenario of cyber crime in 2020. They evaluated a scenario under three different perspectives, from an individual, company and government point of view.

The document proposed worst-case scenarios, highlighting:

• Increased abuse for cloud infrastructures. Cyber criminals will increase the use of cloud technology to launch DDOS attacks, or host botnets. Underground market offerings will mature to support cyber gangs in the organization of sophisticated cyber attacks.
• It will be very difficult to distinguish between legal and illegal activity.
• Data protection is already a challenge in relation to the internet. The future reality of large scale Radio Frequency Identification (RFID) deployment, global sensor proliferation, aggregation of data and highly personalized, augmented services will require the legal frameworks for privacy and security to further adapt.
• Increased need for identity protection due the enlargement of individuals’ online experiences.
• Regarding privacy; as governments establish more privacy laws, the risk of incompatibility between countries increases, creating more roadblocks for responding to cyber crime.
• The heterogeneous legal framework will allow criminals to choose optimal target countries for illegal activities, and the best sources to engage attacks.
• A lack of unity in internet governance means a lack of unity in cyber security. Regardless of the precise number of governance authorities operating in 2020, there’ll need to be broad consensus on standards, to ensure interoperability of emerging internet mediated technologies, including augmented reality and “the Internet of Things.”
• A consolidation of user encryption management to avoid surveillance activities operated by governments could give cyber criminals an advantage.
• Threats will continue to blur the distinction between cyber and physical attacks (such as human implants, SCADA systems, etc.) Virtual reality technologies may lead to psychological attacks.
• Conventional thinking of protected and absolute control of intellectual property may lead to conditional control, as some governments may become dovish in responding to the increasingly prevalent (legal and illegal) access to IP. (However unlikely governments are to shift traditional thinking, they may enact policies that move with the punches of an increasing risk of IP theft, rather than put up a fight.)
• Data protection tools and laws will have to meet the increasing accessibility and proliferation of data.

The principal threats related to cyber crime activities could be grouped into the following categories:

• Intrusion for monetary or other benefits
• Interception for espionage
• Manipulation of information or networks
• Data destruction
• Misuse of processing power
• Counterfeit items
• Evasion tools and techniques

In the next year, almost all these cyber menaces will continue to concern authorities. The principal losses will be attributable to cyber espionage and sabotage activities. SMBs will be most impacted by cyber crime. That’s why it’s necessary that cyber strategies of governments include a series of mitigation countermeasures for principal cyber threats. Critical infrastructure and defense systems will represent privileged targets for cyber criminals and state sponsored hackers. The two categories of attackers will be difficult to distinguish in chaotic cyberspace.

“Evolved threats to critical infrastructure and human implants will increasingly blur the distinction between cyber and physical attack, resulting in offline destruction and physical injury.”

I predict That ..Attacks on Satellite in Space or infecting them and Worms infecting Devices used in Human Body and the new breed of Doctors fixing infection to devices fitted in Human Body called the "Cyber Doctors would evolve. 

Net neutrality slowly would expire..Google & fb to dominate

Net neutrality what it is?
Net neutrality is an idea which stipulates that internet service providers (ISPs) only enable general web connectivity and cannot selectively connect to one website and not the other. Whether you are reading the news or browsing photographs on the web, you get the same internet speed. All ISPs open all (legal) websites whether they like it or not. They do not slow down access to Facebook or speed up access to YouTube. They do not charge extra money from Twitter or Flickr for speeding up connection to these websites. In sum, ISPs are content-agnostic. They just provide the connection at a speed for which a user is paying. Also, unlike cable TV where you have to pay for channels, for the internet you just pay for the connection.

Net neutrality has some obvious advantages. It is great from the perspective of freedom of speech. It is up to a user to access what he wants on the web.

But a bigger advantage of net neutrality is that it creates a level-playing field for all web services and websites. Whether it is a blog owned and managed by one person or Facebook, which employs thousands of engineers, all websites have access to the same connection speed. This allows people to innovate. Imagine, there is no net neutrality and ISPs provide connection speed to a particular website or service depending on how much that service pays. In this case a website like Facebook, which is big and rich will be able to pay more to get better connection speed. But a startup, which wants to challenge Facebook, will not have the same kind of resources. It won't be able to pay ISPs what Facebook can. Result? For users, Facebook will open faster on their computers. The website of the new startup will be slow and hence will never get popular.

Net neutrality sounds like a nice idea. So why do some companies not want to follow it?

While net neutrality is just an idea, albeit the one that has shaped the internet, the Federal Communications Commission (FCC) of the US has been putting in place some rules for the last 10 years to make sure that this idea continues to drive the internet industry forward. However, powerful ISPs in the US are not very happy about it. They argue that they should be allowed to shape and manage the internet traffic the way they want because that is the future. These ISPs say that building internet infrastructure is expensive and as more and more people connect to the web and new services like YouTube and Netflix, which consume lots of bandwidth, come online, they have to shape traffic to maintain quality.

The ISPs also argue that when companies like Google are making huge sums of money from services like YouTube, which has high bandwidth requirement, they should be allowed to charge for connecting consumers to these services. In sum, they want a share in the money companies like YouTube and Netflix are making.

Finally, the argument is that traffic also needs to be shaped so that some services can get higher priority over others. ISPs say that internet speed for critical services like credit card payment should get priority over something like opening a video of cats playing with dogs.

In 2010, FCC came up with a set of new rules to maintain net neutrality. ISPs did not like that and in 2011 challenged the rules in court. On January 14, a federal appeals court termed the FCC rules invalid.

What did the appeals court in the US say?

There are lots of legalities and technicalities in the court order that invalidates the FCC rules. It doesn't invalidate the idea of net neutrality. It only says that the 2010 FCC rules have no legal basis. Here is a key passage from the ruling:

We think it obvious that the Commission would violate the Communications Act were it to regulate broadband providers as common carriers. Given the Commission's still-binding decision to classify broadband providers not as providers of "telecommunications services" but instead as providers of "information services," see supra at 9-10, such treatment would run afoul of section 153(51): "A telecommunications carrier shall be treated as a common carrier under this [Act] only to the extent that it is engaged in providing telecommunications services."

Does the court order spell death of net neutrality?

No, it does not, although it definitely allows ISPs a little more wiggle room to experiment with how they provide internet services. In an interview with Recode, a technology website, Susan Crawford, a law professor, explained that the FCC has an easy way out to enforce net neutrality. At least technically by classifying ISPs as common carriers. "All it has to do is relabel these services as common carriage services. It's likely that's what they'll end up doing," Crawford said.

However, the debate over net neutrality is not just about the rules. There is lots of politics involved and different players have different stake in this game. ISPs in the US are powerful and have strong political ties. They can lobby hard to get what they want. At one of point of time, companies like Google and Facebook were staunchly in support for net neutrality but now when they rule the web, they don't show the same agility in protecting the nature of internet that allowed them to grow so big.

Still, the idea of net neutrality is the foundation of the web as we know it. And it will be difficult to do away with it for any company, a group of organizations or even a government without forging a broad coalition.

How is the ruling going to impact you, the user?

Currently, there is going to be no impact on end users. Even in the US, consumers will likely get the same internet access. In the long run, however, there could be some impact. The biggest impact of this ruling is that it is going to embolden ISPs. They will like to keep the status quo and resist if FCC attempts to formulate new rules to protect the idea of net neutrality. Gradually, ISPs will like to move towards a system of web connectivity where they have more control over the traffic flowing through their servers.

But whenever that happens, the change will be gradual and not without any resistance. Any move to shape traffic in a significant way will likely attract lawsuits in the US, given that this continues to be a grey area and law is not very clear on it. One day, maybe the US Supreme Court will rule on the topic of net neutrality. Or maybe the US lawmakers take up the matter and come out with a set of rules that will either enforce net neutrality or do away with it. But all of this is not happening any time soon. For now you can keep on using your internet connection the way you want.

Facebook Wants to Listen to Your Phone Calls and invade Privacy

Facebook Wants to Listen to Your Phone Calls !!
Cellphone users who attempt to install the Facebook Messenger app are asked to agree to terms of service that allow the social networking giant to use the microphone on their device to record audio at any time without their permission.
As the screenshot above illustrates , users are made to accept an agreement that allows Facebook to “record audio with the microphone….at any time without your confirmation.”
The Terms Of Sservice also authorizes Facebook to take videos and pictures using the phone’s camera at any time without permission, as well as directly calling numbers, again without permission, that could incur charges.
But wait, there’s more! Facebook can also “read your phone’s call log” and “read data about contacts stored on your phone, including the frequency with which you’ve called, emailed or communicated in other ways with specific individuals.”
Although most apps on Android and Apple devices include similar terms to those pictured above, this is easily the most privacy-busting set of mandates we’ve seen so far.
Since the vast majority of people will agree to these terms without even reading them, cellphone users are agreeing to let Facebook monitor them 24/7, green lighting the kind of open ended wiretap that would make even the NSA jealous.

Online Banking & Credit Card Fraud Advisory !!

Online Banking & Credit Card Fraud Advisory !!

After listening to plight of sufferers from various online and credit card banking related frauds and handling so many cases of fraud right from Rs. 15 thousand  to Rs. 52 Lakhs, i have humbly by experience come to following conclusion and Advisory

1. Every Net banking users should have two bank accounts

2. One in technology oriented banks like icici, hdfc,axis,yes,sbi etc with online banking option etc

3. One account in any other cooperative bank but balance up to Rs. 100000/- only na d if you want to have more balance at hand Rs. 1 lakh each in different trustworthy cooperative banks. Rest can be in fixed Deposits 

[ This is said coz RBI only insures up to 1 lakh i.e if the bank goes kaput up to 1lakh RBI will pay you]

4. In the technology oriented bank maintain only amount needed for handling online transactions as Bill payment or ticketing e.t.c

5. When ever required, money can be transferred to online banking account by cheque/DD/cash etc

6. Go back to your banks and check whether in your account opening form you have ticked for Online Banking or Mobile Banking , please untick the same

7. Please go to your bank immediately and ask them to issue chip based credit/debit cards to avoid cloning(this can take time but RBI had asked banks to do this by june 2013)

8. Any extra cash in the online banking account can be moved to Fixed deposits .

9. Avoid Mobile Banking / mobile payment gateway completely till standards, rules and regulations are formulated, take my word i m getting ready to handle mobile banking and payment related frauds as cases have started tickling. 

10. Even though i personally  hate handling cash, but in Indian markets cash still remains a king and various frauds in banking are asserting the faith in cash based economy again..

God Bless You by Lots of Money and Bless You further to Keep it safe safe and safe always

What is Sensitive Personal Data or Information in India ?

What is Sensitive Personal Data or Information in India ? 

[ DATA PROTECTION LAWS IN INDIA ]

Sensitive Personal Data or Information though not directly defined in The Section 2 of The IT Act, 2000. But the definition which has force of law is  defined under the section 3  of  THE INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011 made by Central Government In exercise of the powers conferred by clause (ob) of sub­section (2) of section 87 read with section 43A of the Information Technology Act, 2000 (21 of 2000). Section 3 reads as 

3.    Sensitive personal data or information.—

 Sensitive personal data or information of a person means such personal information which consists of 

 information relating to;―

(i)  password;

     (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ;

       (iii) physical, physiological and mental health condition;

       (iv) sexual orientation;

       (v) medical records and history;

       (vi) Biometric information

      (vii) any detail relating to the above clauses as provided to body corporate for providing service; and

      (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise:

        provided that, any information that is freely available or accessible in public domain or furnished under  the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as  sensitive personal data or information for the purposes of these rules. 

        To enlarge this definition further 

Definition’s of

1.   Data

2.   Information

3.   Personal Information 

4.   Body corporate

Have to be added to the definition of “Sensitive Personal Data or Information” as legislature have defined them separately.

Section 2(1)(o) of The IT ACT,2000 Defines "Data" means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

Section 2(1)(v) of The IT ACT,2000 Defines "Information" as

        "Information" includes data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated micro fiche; 

Section 2(1)(i) defines Personal Information as “Personal Information” means any information that  relates to a natural person, which, either directly or indirectly, in combination with other information  available or likely to be available with a body corporate, is capable of identifying such person.

        "Body Corporate" is defined under Explanation (i) of The Section 43-A of The IT Act, 2000 as "Body corporate" means any company and includes a firm, sole proprietorship or other  association of individuals engaged in commercial or professional activities; 

      

       So the full length definition of Sensitive Personal Data or Information would be 

       Sensitive personal data or information of a person means any information that  relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities, is capable of identifying such person  which consists of  data, message, text, images, sound, voice, codes, computer programs, software and databases or micro film or computer generated micro fiche relating to;―

         (i)  password;

        (ii) financial information such as Bank account or credit card or debit card or   other payment instrument details ;

        (iii) physical, physiological and mental health condition;

        (iv) sexual orientation;

        (v) medical records and history;

        (vi) Biometric Information

        (vii) any detail relating to the above clauses as provided to body corporate for providing service; and

       (viii) any of the information received under above clauses by body corporate for processing, stored or  processed under lawful contract or otherwise:

        provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as 

       sensitive personal data or information for the purposes of these rules. 

       Also, reading carefully clause (viii) above the further intention of legislature could also be found out that Information any information that is NOT freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall  be regarded as sensitive personal data or information for the purposes of these rules. 

       even though presence of the word shall gives it a directive meaning.

       So the questions could be :

if someone lays hand on my mobile phone  CDR(Call Data Record) illegally and finds out  whether i am calling which Specialist Doctor or psychiatrist or Specialist Lab like Thyrocare e.t.c does it reveal my medical record or history or Mental health condition or it gives certain conclusion to the  person who has illegally procured  my CDR. 

 I feel Yes !!

        If i am calling my banker or my stock broker or private equity guy or any lender or investor isn't the CDR revealing it all my financial details.

 I feel Yes !!

       CDR (call data record) thus falls under definition of Sensitive Personal Data or Information under the IT Act, 2000

Other Examples of Sensitive Personal Data would be:

1.   Pathology Lab Reports.

2.   Sex determination test.

3.   Height or Weight of the person

4.   Bank Statement.

5.   Credit card /Debit card Statements.

6.   Cheque or Demand Draft or Pay order or echeque details

7.   PIN Number

8.   DIN Number

9.   Secret Question to reveal password

10. Electronic keys e.t.c

The Supreme Court of India has interpreted the right to life to mean right to dignified life in Kharak Singh case especially the minority judgment of Subba Rao, J. In Gobind v. State of M.P, Mathew J.,

delivering the majority judgment asserted that the right to privacy was itself a fundamental right, but subject to some restrictions on the basis of compelling public interest. Privacy as such interpreted by our Apex Court in its various judgments means different things to different people. Privacy is a desire to be left alone, the desire to be paid for

ones data and ability to act freely.

Right to privacy relating to a person’s correspondence has become a debating issue due to the technological developments. In R.M. Malkani v. State of Maharashtra, the Supreme Court observed that, the Court will not tolerate safeguards for the protection of the citizen to be imperilled by permitting the police to proceed by unlawful or irregular methods. Telephone tapping is an invasion of right to privacy and freedom of speech and expression and also Government cannot impose prior restraint on publication of defamatory materials against its officials and if it does so, it would be violative of Article 21 and Article 19(1)(a) of the Constitution. In Peoples Union for Civil Liberties v. Union of India the Supreme Court held that right to hold a telephonic conversation in the privacy of one’s home or office without interference can certainly be claimed as right to privacy. In this case the Supreme Court had laid down certain procedural guidelines to conduct legal interceptions, and also provided for a high-level review committee to investigate the relevance for such interceptions.

Conclusion :

So if Body Corporate Do not follow reasonable security practices to safe guard Sensitive Personal Data or Information of all the data they possess have to pay severe compensation to the entity/ person whose data so gets compromised.

Sensitive Personal Data or Information though defined in the IT Rules of 2011under The IT Act, cannot be construed strictly as it is said law lies in its interpretation and history has shown interpretation differs in different times .The definition cannot be strictly construed for two reasons. One because the definition encompasses various words which are defined separately and cognizance have to be taken to arrive at intentions of the legislature and society at large and Second because what can be sensitive to one person at one time cannot be sensitive to other person at different timings. As today if we get Call Data Records of Harshad Mehta or Nathuram Ghodse even though the data so obtained would remain personal but not sensitive coz of time has passed by and so is relevance.