Ziggy Zapata Title

PRIVACY

NOTE: If you arrived at this page without seeing a menu, please click on this link - www.ziggy.com.au - to open the entire Ziggy Zapata website in a new window.

The author asserts his right to publish this information in the public interest
No responsibility is taken for consequences resulting from using any information contained herein

DO NOT LET THE GOVERNMENT SPY ON YOU

The case of Australian Wikileaks founder Julian Assange being pursued by the Americans for exposing their dirty laundry shows how important it is to ensure that all links to sensitive information and communications be prevented from being accessed by authorities and courts. For instance, a person's Internet communications can easily be traced via email account information, IP addresses and other means.

Confidential data on social networking facilities such as Facebook and Twitter are subject to legal intrusion, as was seen in March 2011, when a US federal judge ruled that the US government may demand that associates of Julian Assange hand over Twitter account information in the investigation by the Americans into Wikileaks. Because Facebook and Twitter are physically located in the USA, they fall under US jurisdiction and confidential material can be obtained by court orders or warrants.

There is one major lesson to be learned from this. If you don't want authorities and courts tracking your communications and getting access to your Internet activities, then you have to cut the links that show what you have been doing and where you have been browsing. The best way to do this is to use an anonymous proxy server or a Virtual Private Network (VPN). Most people do not have access to a VPN, but anybody can access a myriad of anonymous proxy servers all over the world.

ANONYMOUS PROXY SERVERS

So let's say that you have sensitive information that you want to leak to newspapers or whistleblower websites such as Wikileaks. If you send this material via regular emails, this can easily be tracked. But if you log onto an anonymous proxy server that is physically located outside Australian jurisdiction, then transmit the confidential information to the recipient, the link from you to that recipient is completely broken by the anonymous proxy server.

There are many of these facilities right out of the clutches of the sort of nations that would demand your confidential data by court order, such as the USA, Britain and Australia, so the only evidence that they could find is that you visited an anonymous proxy server, but would have no way of discovering what you did via that facility. Even better, if you can access an offshore anonymous proxy server from an anonymous computer to send that confidential data, the more secure you will be. There are a number of measures that you can take to cover your tracks completely.

SECURE YOUR HARD COPY MATERIAL

The easiest data for others to seize is printed material or CDs and DVDs containing correspondence, documents and bank statements, especially those from accounts that you wish to keep from prying eyes, or diaries and records of your activities. Obviously the best place for such items is nowhere near your premises, so if you need to retain original documents, CDs and DVDs, hide them well away from where you live and do not tell anybody else where they are. Do not put such material in bank safety deposit boxes or any other place linked to your name.

For documents that do not need to be retained as originals, store them as encrypted computer files. Scan and save those documents using at least 256 bit encryption and there is very little chance that anybody can crack them within the foreseeable future. As long as you remember the passwords, you can always view or print those items, but others cannot gain access to them. Ensure that you shred the originals completely and burn the shredded paper. CDs and DVDs can be destroyed by cutting them up and burning them. There is no way anybody can recover sensitive data after it is destroyed in such a comprehensive manner.

SECURE YOUR COMPUTER

These days, the most obvious and vulnerable item that can be seized is your computer, complete with the hard disk drive that contains your data. Logically then, if you have sensitive data, do not ever keep it on your computer's hard disk drive - it's that simple. There are many ways of accessing data without it actually being on your computer, such as removable media, storing it on remote webservers and many other methods.

If you use removable media such as an external hard disk drive for storing sensitive data, it is obvious that others should not be able to gain access to it. The problem with physically large external hard disk drives is that they are easily found and they are not able to be quickly destroyed if necessary. The trick is to always keep physically large data storage devices right off your premises and only use them for periodic backup, not for day-to-day access to sensitive data.

INTERNET INTRUSIONS

Many computer users seem to completely disregard the threat of intrusions when connected to the Internet. For instance, very few people outside the IT business realise that on a single Internet connection, there are over 65,000 ports, most of which can be entered by hackers if they are not protected. So it is vital that any connections to a computer are made so they cannot be penetrated. The method to secure Internet connections from hacking is called a firewall. These can be hardware of software based.

Surveys have found that very few computers in Australia used a firewall of any description. Of course not having a firewall on a computer connected to the Internet is just begging for it to be compromised by malware, viruses or Trojan Horse software that turns the computer into a zombie machine controlled by criminals, who will use it as part of a bot-net to attack websites or to launch millions of spam emails or to steal passwords and bank details.

Most versions of Windows operating system comes with a free software firewall and there are many free or very cheap commercial firewalls available, so there is absolutely no excuse for anybody not to have a firewall installed on every computer they own. If people are so stupid or ignorant as to not secure their computers from very well-publicised risks, then they really deserve to suffer the consequences. The following steps will generally offer protection against being hacked.

ALWAYS USE A ROUTER

One of the most effective ways to keep your Internet connection secure is to use either a hardware firewall or a router. If you connect to the Internet using just a modem, the only protection your computer has against hackers is a software firewall and some of those are not very secure. Not only that, software firewalls can be disabled or erased by malware that is inadvertently loaded by the user. It is always important to have a software firewall operating, however the cheapest and most effective hardware-based hacker prevention these days is a router, because most good routers have features that make them act as hardware firewalls. Routers cannot easily be compromised by software on the computers that they service.

WHICH ROUTER TO USE

Ensure that you only use a router with built-in Dynamic Host Configuration Protocol (DHCP) servers, Network Address (NAT) and Stateful Packet Inspection (SPI) if possible. All these functions act as a hardware firewall and most good modern routers have these features. However, this is just the beginning of the measures to be taken to secure your system. Configuring the router settings away from their defaults is critically vital. Also it is most advisable to use a software firewall, such as ZoneAlarm or Windows Firewall - it adds yet another layer of security.

SECURE YOUR ROUTER

It is vital to change the default settings of your router, because criminals who manage to hack into it by using the well-known default usernames and passwords can change settings that can cause disasters. This can happen simply because routers are programmed via a browser, using an Internet Protocol (IP) address that is allocated from a block reserved for this purpose. In most cases, both the default username and password are "admin" and most domestic users never bother to change them. This leaves their routers wide open for criminals to exploit. For instance, a hacker who gets into your router settings menu can change the Domain Name Services (DNS) table and seamlessly redirect you from a legitimate banking website to a bogus phishing site that will steal your banking username and password, even when you enter the legitimate banking website's URL into your browser address line manually.

Securing a router is quite simple. Follow these steps:

Once the new router is secure, then you can enter your ISP's connection settings, plug in the phone line or cable from a modem and connect to the Internet. Always be very careful of which programs you allow to operate through the firewall and check that they are legitimate and not malware. Never be complacent about security, because every day, hackers find new tricks that can compromise your computer and data.

SPYWARE AND MALWARE

Always ensure that no spyware is loaded onto your computer. Install a good antivirus program and make sure it is always active whenever you are connected to the Internet. Install a spyware and rootkit checker and scan your hard disk for malware at least every few days. But the best precaution against malware is to not install any software that is suspicious or that is obtained via links in emails. In fact, clicking on email links is a nice piece of social engineering used to full advantage by cyber criminals, who know that most people are tempted to click on interesting sounding links.

ENCRYPTION AND PASSWORDS

One of the best ways to prevent sensitive computer data from being hacked or read by others is to encrypt it. There are many encryption programs available and some of the better ones cannot be broken even by the world's most powerful supercomputers. Use encryption software that has a 256 bit algorithm and if it does not have a backdoor built in, it will be next to impossible to break, even by the most sophisticated and powerful computers.

It is vitally important to use passwords that are very unusual and that would be hard to crack. Even though heavily encrypted files are virtually impossible to crack, password-cracking software that uses brute force methods of running through every possible letter and number combination in the alphabet can eventually guess a password only used by these characters. To make it nearly impossible for anybody to succeed in cracking your password, use characters that are not available by normal keystrokes. Most people do not realise that a vast range of computer characters, such as foreign language letters and strange graphic and mathematical symbols can be typed using American Standard Code for Information Interchange (ASCII) codes. These can be generated on any keyboard by holding down the "Alt" key and typing in the particular ASCII number for the characters you wish to use. You can download an ASCII table with the characters and keystrokes from many websites on the Internet. Here are just a few extended ASCII characters:

If you invent passwords using such unusual characters and symbols, it will make it immeasurably harder for even sophisticated software to guess your passwords, even by brute force. The odds of software-cracking passwords having to try such a massive number of character combinations is monumental, compared with the comparatively easy task of trying to crack passwords composed of standard alphanumeric characters.

DATA BACKUP

If you decide to use an external hard disk drive for data backup, hide it away from your premises if it contains data that you want to keep secret. One quick way to erase data is to install a batch file that will irreparably trash your hard disk with a quick click or keystroke if you get the dreaded knock on the door. Also defragment the hard disk regularly and make sure that it also permanently erases all unused disk space and any unused clusters containing data. These steps are simple and virtually do not cost anything, but will prevent most entities wishing to intrude upon your privacy getting their hands on your secret data. However, this is the least secure way to delete files and will not stop determined people with computer knowledge from recovering erased data.

Do not ever labour under the delusion that if you erase data from a hard disk drive, that it cannot be recovered. Always be aware that there are very sophisticated devices that can recover data from hard disks that have been overwritten and reformatted many times. Deleting files normally does not remove them from your hard disk - you have to use special software to completely remove them. But even when special security software is used to delete files to make them unrecoverable, some parts of them can be reconstituted by using a device called a Spinstand Tester that can read magnetic data that has leaked onto media between the hard disk tracks that have been completely erased. If you have very sensitive data and you really want to make sure that it has been completely destroyed, remove the hard disk drive from your PC, open up its case, pass a powerful magnet over the disk platters and then physically hack the platters beyond recognition.

PREVENT RECOVERY OF SENSITIVE DATA FILES

Most webmail services such as Hotmail or Google Gmail allow you to store files. Therefore if there are files that you don't want others to see, you should not keep them on your personal computer, but upload them to an offshore webmail account. But always remember that others can often gain access to offshore accounts, so this is not entirely secure unless you store your files on a webserver in a nation that has no treaties with Australia and that will rebuff any attempts by Australian entities to access your data on their servers. However, you must ensure that you thoroughly overwrite the original files on your computer using military grade overwrite software which is often free, or better still, keep them on removable media while you are editing and uploading them. It is important to encrypt those sensitive files using software that is known to be unbreakable and that has no backdoor built in so that somebody else can decrypt your data.

PREVENT COMMUNICATIONS SURVEILLANCE

The police and other organisations such as ASIO have very sophisticated means of surveillance and amazing equipment that can clandestinely listen and record conversations and of course use the recordings in evidence against people. Obviously honest folk who have not committed crimes have nothing to fear from the authorities, but there are many instances where conversations need to be kept absolutely private. Taking measures to stop anybody eavesdropping on conversations is quite legal. The best way of ensuring secrecy is to not say anything sensitive, but write it on paper, show it to the recipient and immediately burn the paper and grind the ashes to dust.

Never assume that your house and car are safe from surveillance, as they can be easily bugged and many people have been shocked to hear their very private conversations played in court by police. Sometimes the old countermeasures are the best way. For instance just as seen in spy movies, playing loud music and softly whispering into somebody's ear will generally stymie the best audio bugging. Even conversations taking place in crowded public places can be recorded with the use of long range parabolic or shotgun type microphones, so always be aware of this and take appropriate steps to negate this.

Telephones are not secure and they can be tapped by a number of authorities. However, there are good ways where people can communicate with each other and be reasonably assured of not being overheard. One of the better methods is using a Voice over Internet Protocol (VoIP) service if it is highly encrypted. Most domestic VoIP services such as Engin and GoTalk will allow Australian police or taxation officers to tap communications, but many international VoIP companies will not allow this to any authority.

MOBILE PHONES ARE DANGEROUS

If you wish to keep authorities from knowing what you say and where you are at any given time, avoid using a mobile phone. Although revolutionising personal and business communications, these devices are literally two-way radios that continuously communicate with base station cells within their proximity, pinpointing their location to that area. Many people who did not realise this have been convicted of crimes, because the signals sent by their mobile phones were logged by their telecommunications providers and used as evidence to show where they were.

In a very prominent case, Fairfield City councillor Phuong Ngo was convicted for the murder of rival politician John Newman in this way. Ngo claimed that he was many kilometres away at the time of the murder, but his mobile phone records showed that he was in very close proximity to the murder scene at the time and that he had gone to the Georges River to the spot where police eventually found the gun used to kill Newman, Obviously Ngo did not realise that the mobile phone in his pocket was transmitting his location to local cells every few seconds.

Of course the best way to prevent anybody tracking you is to not carry your mobile phone to any sensitive places. Leaving your switched-on mobile phone at one location while you go about your sensitive business elsewhere may be vital in convincing people who gain access to your mobile phone logs that you were actually where your mobile phone was for the whole time that you were somewhere else. There is nothing wrong with doing this, as nobody has the right to track you in such an intrusive manner. If you need to have your mobile phone with you for subsequent use, ensure that it is completely switched off for the entire time that you wish to keep private. Always remember that authorities have the power to tap mobile phone conversations, so never discuss anything sensitive or damaging on a mobile phone unless you are using a very secure end-to-end encrypted messaging application.

ENCRYPTED MESSAGING APPLICATIONS

With advancements in communications technology, we have seen the advent of end-to-end encrypted messaging services, most of which are completely free smartphone and computer applications. These applications ensure that communications such as voice calls and text messages cannot be intercepted, providing that the application providers have not allowed police or other authorities to gain access to their servers. However in most cases, even the application providers cannot intercept those encrypted messages or voice chats.

Some of these applications are known to be rather insecure because of their data sharing policies, such as WhatsApp, so it is better to avoid them. There are some end-to-end encrypted services that are highly secure and not compromised. Signal Messenger is one of the best and even famed US whistleblower Edward Snowden uses Signal because the providers are not beholden to anybody and they operate on grants and donations. It is well-known that Signal is probably the safest way for people to keep their communications totally private.

There are other good end-to-end communications applications, such as Telegram, Wickr, Viber, Wire, Threema, Silence, so it's a matter of choice. The main thing to consider is the security of the devices used for those communications, such as smartphones. It's not much good having secure encrypted communications if there is spyware loaded onto your smartphone that is intercepting your microphone and speaker before the message or conversation is encrypted.

EMAIL SECURITY

There are many articles in the news regarding the interception of emails that have led to severe embarrassment and even criminal prosecution of the senders. Emails are easily intercepted by authorities, who can use the contents against the senders in many ways. The usual security rules should apply to emails as they do to other records - if you don't want anybody to read what you have written, don't write it down where it can be found.

All sides during the Cold War in the 1950s to the 1990s used various methods of communications with their spies. One of the most prevalent was called the Dead Drop. A spy would hide a message at a particular site, then inform his handler by way of a signal, such as a mark on a lamp post or an open window shade, that there was a message to be picked up. The handler would go to that spot and pick up the message. Unless the spy and the handler were under surveillance, nobody would be the wiser.

A similar method can be used with emails. If you transmit an email, it can be intercepted by others. But if you don't transmit something, there is nothing to intercept. So a person who needs to communicate securely with somebody else can use the electronic version of the old Dead Drop.

EMAIL DEAD DROP TECHNIQUE

This is the way to communicate securely with another person using email facilities, which does not involve actually transmitting emails. This is what to do:

The beauty of this method is that nothing is sent, therefore there is nothing for anybody to intercept. Neither you nor your contact are saving any data on your personal computers, so if they are seized, nothing will be found. If you use this method, ensure that your browsing history is always deleted by setting the history cache to zero as the default and manually erasing any temporary Internet files.

Of course this method relies on both you and your contact maintaining complete secrecy and never divulging the URL, log-in details or encryption passwords to anybody. Hopefully both you and your contact will delete all messages immediately after reading them, so that even if authorities somehow manage to get into that dead drop email account, they will find nothing.

PASSING MESSAGES WITHOUT LEAVING A TRACE

Possibly even better than the email dead drop account is the video call message technique. This is so simple that it is ludicrous, yet if you and your contact maintain security, you will never be caught or compromised. Here is the way to do it.

How simple is that? Unless the authorities actually intercept the actual video feed, then nothing is sent or received and the paper that the messages are written on can be destroyed on the spot. Even if authorities install surveillance malware such as a keylogger, this method beats it completely, as the keyboard is not used to send any part of the messages.

INSULATE THE COMPUTER

All of these anti-interception methods are completely useless if you are under surveillance and somebody has planted something on your computer, such as a keylogger that will transmit your keystrokes back to the surveiller, thus exposing every single thing you enter on your keyboard. The most important thing is to ensure that your computer is completely free of any spyware that can compromise what you are doing.

So before you embark on any countermeasures such as Dead Drop emails, constantly check your computer for keyloggers and especially a nasty way that computers can be compromised, which is called a rootkit. This is software that hides itself in places where most virus checkers do not scan, such as the Master Boot Record. it is critical that computers that are used for surreptitious communications have to be completely bug-free, especially from keyloggers and rootkits. There are excellent free rootkit detectors that will quickly find such hidden spyware.

HIDE SENSITIVE DATA

Computers are routinely seized by authorities, who examine the files on their hard disk drives and use anything compromising as hard evidence to convict their owners. The obvious answer is to not put any sensitive material onto computers, but these days, computers are vital in almost every aspect of life. So precautions have to be taken and certain techniques used to avoid sensitive material falling into the wrong hands.

There are methods of securing sensitive computer data on hard disk drives using powerful encryption, however it is hard to know which encryption programs are completely secure. Some can be cracked by authorities who have been given backdoor keys or even by brute force methods using password cracking software. But authorities who seize a computer will obviously not find anything compromising if it is not stored on the computer's hard disk drive in the first place, encrypted or not.

Sensitive files should never be written to the computer's hard disk drive, but stored on removable media. There are many choices for this, ranging from external hard disk drives and flash memory sticks to storing files in the "cloud" - on remote servers connected to the Internet. However, storing files in the cloud means that somebody else could get access to them, so this is not a good security solution. External hard disk drives are a fairly good method of sensitive file storage, but even the smallest external hard disk drives can be found quite easily by searchers.

IDEAL CONCEALABLE DATA STORAGE SOLUTION

However, there is one excellent data storage medium that is ideal, simply because it is so tiny and easily concealable. This is the microSD flash RAM card.

MicroSD Card
Sandisk 1 Terabyte microSD card

A microSD card is only 15mm x 11mm and fractionally under 1mm thick. Just to give you a size comparison, a microSD card is less than a quarter of the area of an average 35mm x 20mm Australian postage stamp. In fact a microSD card is smaller than the average man's thumbnail. With current capacities up to 1 Terabyte, plenty of sensitive data can be stored and accessed on microSD cards and hidden so that nobody will ever find them. For instance, on just one 1TB microSD card that is smaller than a man's thumbnail, a whopping 500,000 2 MB video clips, or 2 million images of 500kb size can be stored.

In case of an unexpected raid, a microSD card with sensitive information can be immediately crushed completely, thus destroying any hope of recovering data from it, In fact, a microSD card can be chewed and swallowed instantly. An encrypted backup of the data on the microSD card should also be kept on another microSD card concealed in a remote location.

A microSD card is used like an external hard disk drive. Plug it into a card reader or a USB adaptor and store all sensitive files on it and view them, edit them, do whatever is required with them, then remove the microSD card from the computer and there's nothing left there for anybody to see. Ensure that file caching is switched off for all external disks and media and thus no temporary files from the microSD card will be stored on the computer. As soon as power is removed from the computer, all sensitive data in its Random Access Memory (RAM) vanishes.

A microSD card is so small that it can be hidden anywhere and would be almost impossible to find if placed in unusual locations. There are already gadgets available to conceal microSD cards in the most unlikely places. For instance, a hollowed-out coin containing a microSD card can be thrown into a jar of foreign coins and even if a searcher examined the jar, he would not try and test every coin to see if it was indeed a fake coin containing the sensitive material.

Another terrific place to hide a microSD card is inside the barrel of a pen that is wide enough to accept it. Most fountain pens or marker pens have barrels wide enough for this. Who would think of searching for a data storage chip inside a pen that was lying in a drawer amongst a pile of other pens and pencils? Many modern car remote control fobs have enough space in them to stash a microSD card and like the pen, nobody would dream of cracking open a remote control fob in search of a data storage chip?

Another good way for travellers to conceal a microSD card is to literally stick it to the body under a Band-Aid plaster, put it inside the back of a watch, in the lining of a suit or even in the centre of a sandwich or cream biscuit in a lunchbox. The possibilities for secure concealment are endless because of the microSD card's tiny size.

But the idea is to not be caught at all with anything that is compromising. Sensitive files can be stored on secure offshore websites and accessed via the Internet, but people can be someplace where they need to use those files but don't have Internet access, such as when travelling in remote areas. However, a microSD card can always be carried and used whenever required, but in a situation where there is no choice but to not be caught with sensitive data on a microSD card, it can be instantly destroyed, literally by chewing it up and there's nothing anybody can do to recover it or the data on it.

DESTROY THAT SENSITIVE DATA IMMEDIATELY BEYOND RECOVERY

So let's say you are sitting at your PC looking at some sensitive files that are on the microSD card and you get the dreaded knock on the door. If somebody bursts in to search your premises, seize your computer and look for anything incriminating, you can just chew the microSD card up on the spot like a small wafer and swallow it. If you chew the tiny card up, nobody will ever recover anything from it. But you need to have a backup of your files, or you will lose them totally in such a scenario. This is what to do.

Using microSD cards is a great way to have easily accessible data files and other sensitive material that can be kept out of the hands of others or used against you. They are relatively inexpensive, but whatever it costs you is far cheaper than the consequences of being embarrassed or prosecuted for having material that you don't want to be caught with, or for anybody else to see.