Hieu Ngo

Online Security Tips

From A Former Hacker
Preface

In late 2019, I was released from US federal prison, after serving part of a 13-year
sentence. I’m a former computer hacker and identity thief. As a 16 year-old kid, I
got hooked on computers and technology. Maybe it was because my family had a
small electronics store in Vietnam. Through Google and IT magazines I learned about
hacking and security. At first, hacking was just a hobby and just for fun. But then I saw
the easy money I could make from hacking websites and stealing personal information.
I thought my life was good. I thought I was helping my family. But I wasn’t - the
more money I made, meant the longer I was in prison, away from my family.
I realize what I did was harmful to many people’s lives and I feel the pain of my
victims. That’s a big reason for me to write this cybersecurity guide, I hope this will
be helpful to as many people as possible. It’s also an opportunity for me to say sorry to
everyone. Prison is a difficult place, but it gave me time to think about my life and my
choices. I am committing myself to do good and be better every day. I now know that
money is just a part of life. It’s not everything and it can’t bring you true happiness.
I hope those cybercriminals out there can learn from my experience. I hope they stop
what they are doing and instead use their skills to help make the world better.
This security guide is my first step to do good for society. It took me many months
to make this project happen. I wrote and edited this guide countless times. I spent
days and nights doing research. I faced some challenges: in prison, I had no Microsoft
Word, no Google and no Internet. My solution was to write with pen and paper first,
and then type the text into the online messaging system we have access to, which
allows us to stay in contact with family and friends. This is not a word processor, but

1
 2

thankfully it at least has a spell check function. . .

I was able to send my draft to Jonathan Lusthaus to prepare it for publication. I’m
very grateful to him for the support and encouragement he gave me. I am also thankful
for the support of my family, my “God-grandmother”, and other loved ones. I dedicate
this guide to those who passed away: Bob and Roy. I also thank my ex-girlfriend for
inspiring me to carry out this project in the first place.
I was so happy to finish this guide, and hopefully you - the average Internet user
- will find it helpful for improving your security and privacy. I write this as former
attacker who benefitted from security holes. But many tips that I provide are easy
to use and are common in the cybersecurity industry and beyond. But they need to
be applied by even more people.
As I wrote this guide while in prison, I had very limited resources to do more
research or check everything. If those who are tech-savvy find some mistakes or missing
information, I do apologize. Thank you for your understanding and support! In any
case, I can only offer my opinions on security and privacy. Every person needs to take
responsibility for their own decisions. But these are issues that should be taken very
seriously. There is a world of bad actors who are watching closely – I used to be one.
Introduction

This article will walk you through practical online security methods and other useful
tips to better protect your privacy. The main goal is to help general Internet users
mitigate risk to an acceptable degree, because you can never remove all risk while being
on the Internet. The truth is that there is no such thing as foolproof security protection.
The objective is to raise the cost of the attack up to a point where it will no longer
be worthwhile for the hackers, criminals and spies.
Technology is constantly changing everyday, from mainframe computers, to desktop
computers, to laptops, to tablets. Now almost everyone has a smartphone – which is
itself a “computer”. In his book Future Crimes, Marc Goodman mentions “Everything
is connected, everything is vulnerable”. It is true that the Internet helps you to travel
around the world in seconds without leaving your chair. It brings you a lot of ideas and
information. It connects you with people, allowing you to make new friends anywhere
in the world. With the Internet of Things (IoTs), even household appliances can use
the web to make people’s lives easier.
But there is no shortage of news about corporations and individuals being hacked
left and right around the world. In recent years bad actors have exploited the IoT
devices in people’s houses and offices to create a powerful botnet (a network of zombie
computers). They can then use this botnet to carry out denial of service (DOS) attacks,
which shut down a website server through a flood of traffic. They can also use it to
send spam and phishing emails, or to steal financial data.
A lack of online security and privacy knowledge is no longer an option. You live
in an Internet era where everything is connected. It’s more important than ever that

3
 4

you should stop for a minute and start asking if your device or your identity has been
compromised. The damage caused can be both emotional and financial, and it can
be difficult to recover from. The Internet has good sides and bad sides to it.
Free online services - such as Google, Facebook, Twitter, Snapchat, Instagram -
are “free” for a reason. You are paying with your privacy. These companies offer
some good benefits, such as connecting you with your loved ones, making new friends
and researching information. But you give up many rights by accepting the long and
boring Terms of Service (TOS), which you might never read. These companies might
collect your data to improve products and services. But they also trade your data to
advertisers, corporations and might even give it up governments.
Your sensitive data faces other threats too. While stored on the company servers
around the world, it is a target for hackers, criminals and spies. These actors work
around the clock to exploit these businesses. They might find a vulnerability in a
system, or trick an employee into accidentally downloading malicious software.
Privacy is an inherent human right. It is time for you to learn how to protect
your privacy both in the digital and physical worlds. The good thing is that security
technology is constantly updating and improving each day to prevent bad actors stealing
your sensitive data. But you can’t rely on this alone, and you can’t rely entirely on
your IT department. Good security requires the coordination of the company and
the individual user. For instance, individuals are particularly susceptible to “social
engineering” attacks. An IT department can’t prevent a user from being tricked into
providing personal information to an attacker or clicking on a malicious link.
This guide is written for you - the general Internet user. The best way to deal with
online security and privacy is to know who you are dealing with. As the old saying
goes: “Know your enemy before going to the battle”. As a former attacker, I hope
to offer you some insights on basic (and intermediate) security and privacy methods
to help keep you safe.
Practical Security and Privacy Methods

Top 10 General Security Tips

I begin with some general tips that will help keep you safe online. These are my top 10:
• Never click on ads or links that you didn’t search out. If you have searched for some-
thing, don’t assume that all sites are safe. (E.g. many sites linked to popular search
terms “free” or “lyrics” may be malicious). Only visit well-known and established
websites because they maintain better security.
• Add your favorite websites into your browser’s bookmark option to eliminate occa-
sional typing mistakes. These mistakes may lead you to scam sites. For example,
instead of going to a correct official website like www.facebook.com, you might
accidentally go to a malicious website like www.faceboook.com or www.facbook.com.
• If you receive suspicious emails or messages with attachments, always double check
with your contact through another channel. These messages may not be from them.
• Never trust any emails or messages which sound too good to be true. These might
come from the bad actors trying to infect your computer with malware and steal
your passwords or other sensitive information. (For the more expert, these files can
be downloaded using a Virtual Machine which isolates the risk – but this is risky
for those who do not know what they are doing).
• Always use multi-factor authentication where is it offered. For services that provide
it, also check options like: “my activity” or “account activities”. This way you can
keep track of any threats to your accounts.
• Never use the same password for every online service. If a bad actor gets your only pass-
word, they can use it to log into any and all of your accounts. Each important service

5
 6

should have a different password (as with the example of the “Spider’s Web” below).
• Avoid using simple and easy to guess passwords, like plain dictionary words, “pass-
word” or your username. “123456” and “qwerty” are also a bad idea. You should
also not use your personal information as a password, as it might be easily guessed
using other sources (for example, a date of birth, loved ones’ names, a phone number,
a dog or cat’s name). Also avoid sharing your password with others.
• Writing down your passwords can save you from remembering them, but also brings
risks. Storing these in your email or on your devices can be dangerous. If you really
want to write passwords down on a piece of paper, make sure that they recorded
in a way that only you can understand (in case the sheet falls into the wrong hands).
• Avoid posting sensitive information on your social media accounts, as bad actors
can use this information against you or your contacts.
• Change the default password on all of your devices or software to a new and strong
password. Bad actors always look for easy ways to attack you, including by using
lists of manufacturers’ default passwords (e.g. the default password of a Wifi router
could be “password”, “admin” or “123456”).
Beyond these tips, below I provide more specific information on securing your account,
browsers, operating systems, data, communications and traffic.

Secure Your Accounts

Your password is one of the most important things that you should care about - because
things can get ugly if your credentials fall into the wrong hands. It is also still the most
common method to protect your account. In this section, you will learn how to create
a good and strong password – 8 to 10 characters or longer is a good practice – to avoid
the bad actors guessing or cracking your password. You will also learn about password
manager software, multi-factor authentication apps and other helpful tips to protect
your online accounts for email, social media, cloud storage and beyond.
 7

Spider’s Web Password Generator Concept

I have devised a method which I call the “Spider’s Web” password gen-
erator. It is simple, secure, free to use and convenient. There is no need
to download an app or log onto a website to use it, all you need is paper
and a pencil (or you can use basic programs like Microsoft Word).
How to use it:

Figure 1. A random example of “Spider Web”

Figure 2. An empty one to create your own “Spider Web”

 8

In the above Figure 1, you have 4 circles. Each circle contains 16 boxes
and each box contains random unique characters (uppercase or lowercase
letter, numeral or symbol).
From the outside in, the first and third circles contain bold capital letters
and numbers. These circles are for your easy-to-remember master password.
Note: the letters and numbers must all be different from each other. You
don’t have to use symbols in these first and third circles because the master
password would be hard for you to remember.
The second and fourth circles contain letters, numerals and symbols,
which are not bold or in capitals. These are used to form passwords for
your computer account or online service accounts such as email or social
media. By using this system, you can create complex passwords without
needing to remember them all.
For instance, a simple method is to use the shorthand name of an online
service plus your master password. With this method, the passwords will
be unique for each of your accounts. If you were creating a new Youtube
account, then you could combine a shorthand for Youtube, such as “utube”,
with your master password, e.g. “vietnam”. The resulting combination
would be UTUBEVIETNAM. Then you would use the second and fourth
circle of Figure 1 to discover your Spider’s Web password. If you start with
letter “U” in the third circle, you will find it corresponds to the symbol “^” in
the fourth circle. Then the letter “T” in the first circle matches the number
“1” in the second circle. Keep going like this until you have: ^1^%Rz7R1E8h.
This is the password you would actually use for your Youtube account.
The figure I have provided is just a guide. You need to create your own
Spider’s Web by using the blank one Figure 2 I have provided. Just make
sure that the first and third circles contain all the characters you plan to
use for your master password and other combinations. You can also create
your own version by hand or using Microsoft Word, which would allow the
 9

design and number of boxes to be altered, as you like. However you do

it, make copies – for your home, your wallet, your smartphone and so on
as needed (though be sure to keep track of them and don’t misplace them
or leave them lying around in public places).
You might also consider other creative ways to use the Spider’s Web
password generator. For instance, using the same basic approach, your
password for Facebook could be: FBVIETNAM. Instead of using the same
method above, you can jump backwards and forwards one or more boxes
in the second and fourth circle. For example, in “Figure 1”, you start with
the letter “F” in the first circle. Instead of using the symbol “@”, you
jump one box forward and use the letter “v” in the second circle. Keep
going until you have: v!7WYfXlB.
Another method is “jumping the circle”. If your password for Gmail
is GMVIETNAM, you would start with the letter “G” in the third circle.
Instead of using the number “6” in the fourth circle, you jump to second
circle and you get the letter “f”. If you keep going like this then you have:
f%2aY$alXJ2%.
There are many other ways to use the Spider’s Web. The greater the
complexity you build into your approach, the greater your security. But you
must make sure you remember any unique and creative method. You can
also use this system to provide greater protection for security questions and
answers, which are often used as a failsafe, if a password is forgotten. But
these responses can sometimes be easily guessed or cracked. The Spider’s
Web means that the seemingly random digits can be used instead of a
dictionary word or other simple response.

Password Manager Software

The Spider’s Web is not the only password approach that you could
adopt. There are also a number of programs available that store multiple
 10

passwords in one location. Examples include LastPass, KeePass, Bitwarden,

1Password, DashLane Password Safe, Password Gorilla and Roboform.
Some are cloud-based solutions that can be used on multiple devices, while
others are offline and can be used only by devices that have installed the
software. For those who don’t trust cloud-based password manager software,
you could use these offline programs instead, such as Diceware. Along
with giving useful tips on how to choose a good password, these manager
programs encrypt your passwords. You then only need to remember one
password, which is called the master password (but be sure not to forget it!).

Multi-factor Authentication Options

Multi-factor authentication improves the security of your accounts. It is a

good idea to use it on any platform that provides this function (e.g. Gmail
and Facebook). It is also possible to make use of two-factor authentication
services across your online accounts, such as Google Authenticator and
Duo Security. When you log into an account, these tools automatically
send you a one-time temporary verification code via an SMS or through
their own application.
Some companies have also been exploring biometric authentication op-
tions. These include fingerprint, iris, voice and facial recognition, which
can be used to log into your devices or verify payment transactions for
say Alibaba or Apple. If you don’t feel comfortable with these biometric
authentication options, the best option remains a password.
For those interested in taking things further, there are also some hardware
options available. These include USB two-factor authentication devices like
MobiKey, NitroKey and Yubikey U2F. These create a secure link to your
devices via a virtual machine. There are also chip-enhanced security ID
cards available, such as Qwertycards.com.
 11

Secure Your Internet Browser

Security-focused Internet Browsers

There are many Internet browsers on the market now such as Brave, Comodo
Dragon, Epic Browser, TOR Browser and the popular ones like Firefox
Quantum, Microsoft Edge and Google Chromium. Most of these Internet
browsers offer security and privacy options, such as hiding your real IP
address, or detecting suspicious cookie files that track your online activities.
But one major concern in your choice of browser is that the more popular
an Internet browser is, the more hackers, criminals and spies will target
it, looking for vulnerabilities and ways to inject malware onto your devices.

Internet Browser Add-ons

HTTPS Everywhere is a great browser add-on for most of the popular

browsers, such as Firefox, Chromium and Opera. It helps make sure that
you connect to secure websites that use web-encryption technology such
as Transport Layer Socket (TLS) or Secure Socket Layer (SSL) protocols.
This prevents anyone eavesdropping on your communications. While it is
the best we have, it is still not a bulletproof solution. Hackers could still
use a technique called a “man-in-the-middle” attack, where they steal or
fake a TLS or SSL certificate to intercept the communications between
you and the website’s server.
There are also add-ons which are useful for blocking ads, cookies and so
on. These include Ublock Origin, AdBlock Browser, FlashBlock, Disconnect,
Privacy Badger, Ghostery and NoScript. They can help prevent attempts
to track your online activities or trick you into visiting a malicious website.

Secure Your Operating System (OS)

As with browsers, there is no perfect OS. Each has its strengths and weaknesses. For
example, Microsoft Windows has strong security protection features, but because of
 12

its popularity and huge user-base, it is always a main target of bad actors. There are
other OS, such as Whonix, Qubes, TAILS, Ubuntu, RedHat, Mac OS, Google Chrome
OS and Gallium OS. And there are OS for mobile devices, like Google Android and
Apple iOS. These mobile OS have been a very attractive target for bad actors because
everyone has a smartphone nowadays. The key to keeping out bad actors, is constantly
updating your OS and other software.
In addition to choosing the right OS, there are other software protections available.
These include solutions to encrypt data and entire hard drives, such as Viivo, VeraCrypt,
BitLocker, FileVault, WinMagic, and Whole Disk Encryption. More widely known
is antivirus software. Well-known brands include: Cylance, Kaspersky, Norton, AVG,
BitDefender, Malwarebytes, McAfee and so on. These help to detect, isolate and remove
viruses and other malware. But just having such software is not enough. It is important
to disable the “auto-run” mode on your devices to ensure that any virus or malware
doesn’t automatically execute or run from portable devices like USB drives. It is a golden
rule that these portable devices or CDs are always scanned with antivirus software.
Here are some other useful tips:
• To limit vulnerabilities, make sure that all software is regularly updated. For the
same reason, you should uninstall any software that you don’t need.
• To help with updates, turn on the “auto-update” option on your devices to keep
your OS patched against the latest security threats.
• Unless you know what you are doing, it is safest not to “jail break” your devices.
• Only download software from trusted sites. If you didn’t go looking for a particular
piece of software, be cautious. Don’t be tricked into downloading fake antivirus or
scareware.
• Use a firewall. This is often an inbuilt feature of many OS, and will help block
unwanted connections to your machine. Third party firewall software is also available.
 13

Secure Your Data and Communications

Nowadays, hackers, criminals and spies have tools to monitor and record your phone
calls, text messages, photos and emails. It is always helpful to equip yourself with
good knowledge to defend these threats. Luckily, encrypted communication services
are becoming widely available and easy to use. They can provide encryption for text
messages, calls, emails and file sharing. Some well known platforms include: Signal,
Wickr, Redphone, Telegram, ProtonMail, PGP (Pretty Good Privacy), and many more.
However, end-to-end encryption communication services only work if two (or more)
people can agree to use them and to choose the same service. You also still need to be
sure that the person you think you are communicating with is actually the person you
a communicating with. For the very cautious, cryptophones can be purchased, which
have encryption built into the phone.
Backing up your data is a very important security measure. But this also needs to be
done safely. Cloud based storage has become very popular in recent years. Well known
providers include Dropbox, Google Drive, Amazon AWS, among a number of others.
The advantage of such backup systems is to guard against threats like hard-drive failure,
virus infection or the theft of device itself. Some of these services provide encryption for
your data, but you can also encrypt it yourself before uploading it. The privacy conscious
might even build their own cloud storage solution by using a private server or a VPS
(Virtual Private Server) and platforms like Docker Hub, NextCloud and OwnCloud.
For those who are suspicious of cloud services, or want layers of protection or backups,
there are other options available. You should also have your important data held on
an encrypted hard drive or otherwise. For very important documents, you might print
out a hardcopy as well.
Here are some other useful tips:
• By reading the Terms of Service (TOS) of an online service, you will know what
you are dealing with. Nothing in life is free, it comes with a hidden cost and it is
up to you to decide to either use it or not. Just be mindful, that’s all!
 14

• Before buying “smart” devices, make sure you do your homework first to see if it
is safe to use for your family. Often you can adjust privacy features. Devices such
as Amazon Echo or Google Home are constantly recording, so you shouldn’t say
anything too sensitive as it might be held by these companies or passed to others.
It’s just like social media posts, which once out there might come back to haunt your
job interview, ruin your business or your personal relationships. The less IoT devices
in your house, the safer - if you still need to use one, use it wisely!
• Cover your webcam or camera with a piece of black tape or a Post-it note while
you are not using it. It helps prevent anyone spying on you.
• Wifi security is important for preventing eavesdropping on your Internet traffic.
Important practices to consider include using strong passwords, keeping your router’s
firmware up-to-date, disabling the Wifi Protected Setup (WPS) option, and buying
a new Wifi router with the latest security protections (such as encryption). Sensitive
data can be recovered from old hard drives. To make sure it doesn’t fall into the
wrong hands, use software like WipeInfo.

Secure Your Internet Traffic

The options below help secure your Internet traffic. They can protect you from snooping
and protect your identity online. While you might be worried they are difficult to use,
often they are quite a simple solution to preserving your privacy.

Virtual Private Network (VPN)

VPNs are commonly used by corporations to give their employees remote

access to company servers and provide secure communications. Employees
then can work safely from outside the office. A VPN is one of the easiest Wifi
security options to use - no matter where you go and how unsecured a public
Wifi connection is. It has a number of functions: a VPN helps to protect your
IP address and to encrypt your Internet traffic packet data, by obfuscating
it from anyone who might be listening in on whatever seedy public Wifi
you have managed to connect to (e.g. café, airport lounge, and so on).
 15

Some trusted VPN providers include: F-Secure Freedome, NordVPN,

ProtonVPN and Sprint Secure Wifi. After you buy a VPN, the service
will provide you with the instructions and the login details.

Proxies

Proxies are a fairly easy way to protect your privacy online, but they
can provide poor quality connections so are most handy for personal
and temporary activities. Some proxy services are free, while others are
subscription-based services.

The Onion Router

TOR can be a good alternative to proxies. It is an independent technology

project of the United States Department Of Defense (DOD), drawing
funding from many different groups. It helps to secure your Internet traffic
by using its algorithm to hide your actual IP address. TOR is not a
foolproof security technology, as the FBI demonstrated in the shutdown of
the Silk Road and the arrest of its administrator. But since you are a good
citizen and just want to secure your Internet traffic and avoid the eyes of
intruders, then it is fine to use TOR freely. You can even contribute to
the overall success of TOR, simply by using it. The more people who join
the network, the safer it is.

Virtual Machine (VM)

A different way to secure your traffic involves setting up a virtual machine

on your computer. This emulates another computer system, with an OS
and other software applications, on your same hardware. One advantage
is it could help eliminate the cost of buying/building a new computer.
But its main value is helping to isolate your actual machine and to avoid
exposing information like MAC addresses and hard drive serial numbers.
This creates a stress-free environment for you, particularly if you wish to
 16

carry out activities where you would like to protect your actual computer
from snooping or malware infection.
You can set up a virtual machine by using software like Oracle VM
Virtual Box, VMware, or QEMU.org. For example, if you use the free
Oracle service, you can choose a setup with either Linux OS, Windows OS
or Mac OS. There is plenty of information online that delves further into
VMs and how to set them up. If you have lots of hard drive space, you can
setup as many VMs as you want, for many different purposes. You can even
setup a VM copy version of your actual machine on a portable USB drive,
or use a setup where a smartphone can log into your VM over the Internet.

Virtual Private Server (VPS)

A virtual private server is similar to a VM, in that it doesn’t require setting

up an actual server to help secure your traffic. Setting up a physical
server can cost both time and money, whereas a VPS can be purchased
more cheaply from a hosting service provider. Some well known hosting
providers include: Amazon AWS, SAP, Heroku, Rackspace, DigitalOcean,
and Dreamhost. A VPS can provide another layer of security, in a similar
way to a VM. It can also prevent the exposure of your actual computer’s
MAC address, hard drive serial numbers, and IP address.

Combining Options

Depending on how much security and privacy that you need, you can com-
bine a number of these options together in different ways. But the more pro-
tection layers you have, the slower your Internet speed will be, so you need to
think of the balance that you want. Many people may already use this setup:
Your Devices —> VPN —> Internet
But there is nothing stopping you from getting more creative and adding
layers. Two other setups I might recommend are:
Your Devices —> VPN —> TOR —> Internet
 17

Your Devices —> VPS —> VPN —> Internet

The very privacy conscious people might even go for this arrangement:
Your Devices —> VM —> VPS —> VPN —> TOR —> Internet
There are countless other variations you can choose. Be creative. None
of them will be perfect, but you can at least make things that bit more
difficult for bad actors.