Friday, November 22, 2019

A phone and laptop manufacturing industry to be opened in Uganda today by his excellence YK museveni

Mighty Yoweri Kaguta Museveni,the president of the Republic of Uganda will in few hours from now officially open the first phone manufacturing and assembling plant in Uganda at Namanve Industrial Park.
This company will be producing 2000, Smart Phones 1500, laptops 800, Chargers 2000, USB cables 4000 and 4000 Ear phone.

Just pray for Africa!!! The space has be declared a military operational zone

The North Atlantic Treaty Organization (NATO) has identified space as an operational domain, alongside air, land, sea and cyber area, the alliance’s Secretary-General, Jens Stoltenberg, said.
"We have agreed that space should be a new operational domain for NATO alongside air, land, sea and cyber. Space is part of our daily life here on Earth. It can be used for peaceful purposes. But it can be also used aggressively", Stoltenberg told a news conference on the results of the NATO foreign ministers’ meeting in Brussels on Wednesday.
The alliance’s chief continued by explaining that satellites could be jammed, hacked or weaponized, which could lead to disrupted communications and affect various services and areas.
Moreover, space was essential to NATO’s defence and deterrence, such as the alliance’s ability to detect missile launches and gather intelligence, Stoltenberg argued.
Stoltenberg emphasized that NATO remained a defensive alliance and did not intend to put weapons in space, acting in line with international law.
"Making space an operational domain will help us ensure that all aspects are taken into account to ensure the success of our missions", the NATO chief noted.
While air, land and sea have been traditional operational domains for NATO, the cyberspace was recognized as such an area of the alliance’s defensive activities in July 2016.
Stoltenberg said earlier this week that the alliance, however, has "no intention to put weapons in space".
The US permanent representative to the alliance, Kay Bailey Hutchison, remarked that space was already playing a big role in communications and capabilities used by NATO. When asked whether an attack on a NATO member's satellite could trigger an Article 5 response from the alliance, Hutchison said that the article's concept was about "territory".
Article 5 of The North Atlantic Treaty envisages that an armed attack against one or more NATO member-state should be considered as an attack on all the allies"

US Top military Secret Facility Near Area 51 Emerges Online

The Tonopah Test Range is a restricted military polygon located in the vicinity of the eponymous town in the state of Nevada. It is currently used for nuclear weapons stockpile reliability testing, research and development of fusing and firing systems, as well as testing nuclear weapon delivery systems.
A YouTube blogger nicknamed TheArea51Rider yesterday  uploaded a video in which he claims that he filmed an unidentified aircraft at a restricted test range southeast of Tonopah, Nevada.
In the video, the authenticity of which cannot be confirmed, the blogger recorded himself ostensibly nearby the military site, located in the vicinity of the notorious and highly-classified Area 51 . The YouTuber showed images of an open hangar with what appeared to be an aircraft inside. However, he failed to identify the vehicle, pondering whether it is some sort of new secretive military plane.
The Tonopah military site is a hotspot for various conspiracy theories surrounding the use of experimental and classified aircraft.
However, it is less popular among conspiracy theorists than the nearby Area 51 that attracts UFO enthusiasts who are convinced that the government is hiding the existence of extraterrestrial technology.

We're you safe with your camera!!! Just update your app

A few days ago, It was reported that the Facebook app was using the camera feature on certain versions of iOS without the user’s permission. Now, it has been discovered that a vulnerability in Google and Samsung’s Camera apps on Android enabled other apps to breach users’ privacy.
Apparently, this includes recording videos & call audios, capturing photos and extracting GPS data from the phone’s media data unauthorizedly while uploading it to a C&C server. Furthermore, subtle hacks such as the silencing of the camera’s shutter could also be implemented to further conceal any hidden activity.
Termed as CVE-2019-2234 ; the vulnerability has been disclosed by Checkmarx in coordination with both Google and Samsung alerting users, the former stating :
To understand how this entire process takes place without the user’s permission, it is to be noted that an app needs the following permissions for engaging in any of the aforementioned actions:
1. android.permission.CAMERA,
2. android.permission.RECORD_AUDIO,
3. android.permission.ACCESS_FINE_LO
4. android.permission.ACCESS_COARSE
However, in this particular case, it was discovered that merely having permission to access the storage region of the phone gave the apps unrestricted ability to use other features of the camera. Consequently, as the majority of apps rely on gaining storage permissions to operate, this allows a vast number of apps to have the potential to exploit this vulnerability.
Checkmarx has also put together a video to demonstrate such an exploit on a Google Pixel 2 XL with the help of a simple weather app.
To conclude, users can rest assured though knowing that Google has fixed the vulnerability via a Play Store update while simultaneously issuing a patch to all partner vendors.On the other hand, companies could take away a lesson of responding in the right way just like Google and Samsung did instead of downplaying any exposed flaws within their systems. This not only helps the ecosystem flourish but also helps users take precautions understanding the security limitations their devices may pose.

Tuesday, October 29, 2019

USA HAS BEEN SPACE SPYING ON THE WORLD FOR NEARLY TWO YEARS!!! HAVE YOU SEEN ALL I HAVE BEEN TELLING YOU.... YOU CANNOT AVOID CIA, WHEN IT COMES TO SPYING

The Air Force’s mysterious spy spaceplane, the X-37B, is back on Earth after spending more than two years in orbit. It’s still unknown exactly what the vehicle is for, but the Air Force admits that the spacecraft did carry a number of small satellites into space during this mission.
The X-37B landed at 3:51AM ET on Sunday, October 27th, at NASA’s Kennedy Space Center in Florida. The touchdown brought an end to the spaceplane’s fifth journey into space and the longest flight yet for the vehicle. The X-37B launched on top of a SpaceX Falcon 9 rocket on September 7th, 2017, and then went on to spend a total of 780 days in orbit. That’s a new record for the spacecraft, eclipsing the vehicle’s last stay in space, which lasted 718 days.
“THE SKY IS NO LONGER THE LIMIT FOR THE AIR FORCE AND, IF CONGRESS APPROVES, THE U.S. SPACE FORCE.”
“The safe return of this spacecraft, after breaking its own endurance record, is the result of the innovative partnership between government and industry,” Gen. David L. Goldfein, Air Force chief of staff, said in a statement. “The sky is no longer the limit for the Air Force and, if Congress approves, the U.S. Space Force.”
The first flight of the X-37B took place in 2010, and exactly what the vehicle does up in space has been a mystery ever since. However, the Air Force has dropped a few hints from time to time. Resembling a mini-Space Shuttle, the X-37B is known to test out technologies and experiments meant to last for long periods of time in space. And this is the first time the X-37B has seemingly deployed unknown small satellites into orbit.
That has angered some in the space community. The Air Force did say that the X-37B would be taking up these small satellites when the vehicle launched in 2017. However, some space industry analysts have pointed out that none of these spacecraft have been officially cataloged by the Air Force. The satellites were also not registered with the United Nations, according to Jonathan McDowell, an astronomer at Harvard and space tracking expert. He argues that would violate the UN’s Registration Convention — which requires countries to tell the UN exactly what they’re sending into space. It’s possible that the satellites remained attached to the X-37B for its entire trip, which would skirt around the issue. But ultimately, we don’t know what became of them.
In the meantime, the X-37B will likely get a checkup from the Air Force. There are two currently operational X-37Bs, and one of them is set to fly again in early 2020.

FACEBOOK EMPLOYEES ARE AGAINST ALL THOSE POLITICIANS WHO WANT TO USE THEPLATFORM BY SPREADING LIES AND SENSELESS POLITICAL PROPAGANDA

FACEBOOK EMPLOYEES ARE  AGAINST ALL THOSE POLITICIANS WHO WANT TO USE THEPLATFORM BY SPREADING  LIES AND SENSELESS POLITICAL PROPAGANDA




I have for a very long time been worried  about politicians here in Africa who predominantly have been using twitter and facebook in spreading  Senseless political lies that even are un realistic,segregative and in real just to promote their political ambitions.In Uganda, we have witnessed  many of them delivering messages full of hatred, am not going to mention some names but, you know them, I know them and we all know  them. This is very dangerous  especially  since it targets the youth who easily can be lured into acts that can put it heir lives to danger. And to facebook, it has promoted mistrust to the extent that per now there is none In Africa  who can easily  trust any information  spread via facebook.
Facebook employees are urging Mark Zuckerberg to rethink his stance on allowing politicians to lie in political ads. In an open letter to company executives obtained by The New York Times, more than 250 people said the policy — which exempts such ads from Facebook’s third-party fact-checking standards — threatens what the company stands for:
Misinformation affects us all. Our current policies on fact checking people in political office, or those running for office, are a threat to what FB stands for. We strongly object to this policy as it stands. It doesn’t protect voices, but instead allows politicians to weaponize our platform by targeting people who believe that content posted by political figures is trustworthy.
They added that it fuels mistrust of the platform and “it communicates that we are OK profiting from deliberate misinformation campaigns by those in or seeking positions of power.”
“IT COMMUNICATES THAT WE ARE OK PROFITING FROM DELIBERATE MISINFORMATION”
Employees urged executives to restrict how politicians are able to target potential voters. Today, they are able to segment users based on how likely they are to vote or how susceptible they might be to a potential message — tactics made infamous by the political consulting firm Cambridge Analytica. “These ads are often so micro-targeted that the conversations on our platforms are much more siloed than on other platforms,” employees said. Facebook already applies such restrictions to ads related to housing, education, or credit, to stop potential discrimination.
Facebook’s ad policy has been under fire since September, when vice president of communications Nick Clegg attempted to explain why the company would no longer “referee political debates” by fact-checking political ads. Elizabeth Warren claimed the move was a clear sign they were taking “deliberate steps to help one candidate intentionally mislead the American people,” then escalated things further by posting an ad claiming
Mark Zuckerberg and Facebook endorsed Trump . “We intentionally made a Facebook ad with false claims and submitted it to Facebook’s ad platform to see if it’d be approved. It got approved quickly and the ad is now running,” she tweeted .
Last week, the company took down an ad that falsely claimed Lindsey Graham (R-SC) supported the Green New Deal. The Really Online Lefty League, a liberal PAC, ran it to test whether Facebook’s policy applied to political organizations. Because the ad was purchased by a third-party group, it was subject to a stricter fact-checking policy than posts by the candidates themselves.
Two weeks ago, Mark Zuckerberg gave a speech at Georgetown University where he tried to crystallize his thoughts on free speech and his company’s role in moderating political conversations. The speech was widely criticized by the left and right; both parties thought Zuckerberg was shirking his responsibility for helping to spread misinformation. Now, it seems  his own employees agree.
Hundreds of Facebook employees  Few days ago signed a letter to Mr. Zuckerberg and other leaders of the social network, decrying the company’s decision to let politicians post any claims they wanted — even false ones — in ads on the site.
Here’s what the letter says:
We are proud to work here.
Facebook stands for people expressing their voice. Creating a place where we can debate, share different opinions, and express our views is what makes our app and technologies meaningful for people all over the world.
We are proud to work for a place that enables that expression, and we believe it is imperative to evolve as societies change. As Chris Cox said, “We know the effects of social media are not neutral, and its history has not yet been written.”
This is our company.
We’re reaching out to you, the leaders of this company, because we’re worried we’re on track to undo the great strides our product teams have made in integrity over the last two years. We work here because we care, because we know that even our smallest choices impact communities at an astounding scale. We want to raise our concerns before it’s too late.
Free speech and paid speech are not the same thing.
Misinformation affects us all. Our current policies on fact checking people in political office, or those running for office, are a threat to what FB stands for. We strongly object to this policy as it stands. It doesn’t protect voices, but instead allows politicians to weaponize our platform by targeting people who believe that content posted by political figures is trustworthy.
Allowing paid civic misinformation to run on the platform in its current state has the potential to:
— Increase distrust in our platform by allowing similar paid and organic content to sit side-by-side — some with third-party fact-checking and some without. Additionally, it communicates that we are OK profiting from deliberate misinformation campaigns by those in or seeking positions of power.
— Undo integrity product work. Currently, integrity teams are working hard to give users more context on the content they see, demote violating content, and more. For the Election 2020 Lockdown, these teams made hard choices on what to support and what not to support, and this policy will undo much of that work by undermining trust in the platform. And after the 2020 Lockdown, this policy has the potential to continue to cause harm in coming elections around the world.
Proposals for improvement
Our goal is to bring awareness to our leadership that a large part of the employee body does not agree with this policy. We want to work with our leadership to develop better solutions that both protect our business and the people who use our products. We know this work is nuanced, but there are many things we can do short of eliminating political ads altogether.
These suggestions are all focused on ad-related content, not organic.
1. Hold political ads to the same standard as other ads.
a. Misinformation shared by political advertisers has an outsized detrimental impact on our community. We should not accept money for political ads without applying the standards that our other ads have to follow.
2. Stronger visual design treatment for political ads.
a. People have trouble distinguishing political ads from organic posts. We should apply a stronger design treatment to political ads that makes it easier for people to establish context.
3. Restrict targeting for political ads.
a. Currently, politicians and political campaigns can use our advanced targeting tools, such as Custom Audiences. It is common for political advertisers to upload voter rolls (which are publicly available in order to reach voters) and then use behavioral tracking tools (such as the FB pixel) and ad engagement to refine ads further. The risk with allowing this is that it’s hard for people in the electorate to participate in the “public scrutiny” that we’re saying comes along with political speech. These ads are often so micro-targeted that the conversations on our platforms are much more siloed than on other platforms. Currently we restrict targeting for housing and education and credit verticals due to a history of discrimination. We should extend similar restrictions to political advertising.
4. Broader observance of the election silence periods
a. Observe election silence in compliance with local laws and regulations. Explore a self-imposed election silence for all elections around the world to act in good faith and as good citizens.
5. Spend caps for individual politicians, regardless of source
a. FB has stated that one of the benefits of running political ads is to help more voices get heard. However, high-profile politicians can out-spend new voices and drown out the competition. To solve for this, if you have a PAC and a politician both running ads, there would be a limit that would apply to both together, rather than to each advertiser individually.
6. Clearer policies for political ads
a. If FB does not change the policies for political ads, we need to update the way they are displayed. For consumers and advertisers, it’s not immediately clear that political ads are exempt from the fact-checking that other ads go through. It should be easily understood by anyone that our advertising policies about misinformation don’t apply to original political content or ads, especially since political misinformation is more destructive than other types of misinformation.
Therefore, the section of the policies should be moved from “prohibited content” (which is not allowed at all) to “restricted content” (which is allowed with restrictions).
We want to have this conversation in an open dialog because we want to see actual change.
We are proud of the work that the integrity teams have done, and we don’t want to see that undermined by policy. Over the coming months, we’ll continue this conversation, and we look forward to working towards solutions together.
This is still our company.

Friday, October 18, 2019

Security issues!!!! Let us be vigilant

Regards from the Uganda Police and the entire Security fraternity. As earlier communicated by His Excellency the President and Commander in chief, I take this opportunity to relay our reviewed security plan to tackle the current wave of violent crime, especially in the KMP policing area- that is- Kampala, Mukono, Wakiso, Entebbe as well as other areas where it manifests. The detailed plan shall be given to the implementers i.e. the Joint security apparatus. What we shall share with the public is the following:
[ Background]
This reviewed plan sits within the 12 wider measures announced last year by the President. I want to report that a lot of strides have been made in this regard, including the aspects of installation of cameras, finger printing of fire arms, improving the police Forensics capacity,
as well as improving the Crime Intelligence and Criminal Investigations Directorates, all of which are ongoing.
This notwithstanding, the KMP area has encountered a new wave of violent crime, which compelled us to review our plan in order to enhance better effect in decisively handling this prevalent crime. The revised approach is premised on five measures:
(1) Linkage with and effective communication with the public,as well as public awareness. Each family in a zoned area of responsibility, shall be given a telephone line of the nearest station or post.
The public is encouraged to share all relevant information on all matters of security including distress calls. We shall put suggestion boxes at the stations and LC offices. Messages will only be accessed by a select team and all the messages will be treated with confidentiality. The public can also deliver text messages or whatsapp messages on 0707114114
We also appeal and encourage the public to have community based security approaches such as employment of village scouts, vetting and registration of those that work at homes- plumbers, casual labourers, house helps, etc.; installation of cameras in their premises and vehicles (taxis, public and private transport), to boost our surveillance and investigation capacities. Public vigilance and cooperation is very crucial in the effort to eliminate crime.
(2) Quick and effective response. In this regard, the KMP area is going to be divided into policing zones or security constituencies for each station or post, with attendant published call lines, reaction forces and linkage to all stations and posts as well as cameras, when there is a distress call. Other enablers include:
Registration and marking of streets and residences to enhance quick response Lighting of streets and or individual premises or residences where affordable.
(3) Effective investigations and prosecution of culprits. To this end, we require a more robust and dedicated prosecution and judicial set up to handle this violent variant of crime. Government will discuss modalities with the Judiciary and the DPP.
(4) Profiling and pursuit of known repeat offenders. This is already an ongoing process and the hunt is on.
(5) The above mentioned measures mainly address the security of residences. However, we realize that violent crime also manifests in non-residential locations affecting especially vulnerable pedestrians or motorists. In this regard, security will ensure more visibility,
accompanied by camera surveillance (where available) to respond to
incidents.
• However, the public can also play a critical role here. We therefore mobilise the public to be extremely vigilant and security conscious. Avoid moving with lots of money without the requisite security precautions. If you have to move late, make the necessary security contingencies, including not moving alone and update those concerned in case of need of
help. Do not expose those that are most vulnerable to unnecessary risk especially young children and ladies, moving alone late in the night.
If we step up individual and group/communal vigilance and consciousness, the risk to individuals can also be largely mitigated. We shall keep updating you as we proceed with implementation of
these added measures.
Thank you very much.
For God and my country
Maj Gen Sabiiti Muzeyi psc, ndc
FOR: Inspector General of Police

Saturday, October 12, 2019

Is your web site secure?




Securing your site has never been more critical, and this entails keeping up with the latest security options. But what does securing a website mean? It means writing modern and secure code and applying server patches regularly, as well as defending against external attacks the server can’t control. That’s where security headers come in. The server sends security headers to the client, and the browser evaluates them, protecting users against a myriad of attacks. I should note here that the ability to receive security headers is dependent on browser support.

HTTP Strict Transport Security (HSTS)

In 2019 all websites had to be secured by HTTPS. As HTTPS certificates have been freely available for a while now, there are no longer any valid excuses for not using them. HTTPS adds an encryption layer, so messages cannot be read by a man in the middle between the server and client.
If a user requests the HTTP version of a page, there are multiple approaches to handling these requests, the most common being responding with a 301 Moved Permanently status. In addition to allowing eavesdropping on requests, HTTP also allows malicious actors tampering responses, meaning users may never be redirected to the secure version of the site. Users may instead be redirected to a malicious website, which is just one example of many bad outcomes that could result from using HTTP.

No STS header HTTP request

Strict Transport Security (STS) header solves many of the problems created by using HTTP. This header tells the browser that it should only use the HTTPS version of the site. But we’ve already seen that one HTTP request is enough for an attack. How is this header the solution then?
By default, an STS header works on the principle of “trust on first use”. This requires an initial secure connection to be able to include an STS header in the response. After there has been a secure connection with STS, then for an amount of time specified by the max-age STS directive the browser will not allow HTTP for the same domain. If there’s an attempt to request the unsecured (HTTP) version of the page, the browser will automatically redirect the request using a 307 Internal Redirect. This redirect occurs before the request reaches the network, thus attackers cannot see or modify the request. This capability also extends to subdomains with the includeSubDomains directive.
Some issues: we still need a successful secured connection before all this can work, and max-age is not infinite. These leave a smaller, but nevertheless existing hole in our defences. Luckily, there’s a third directive preloadwhich enables the HSTS header user to have this policy shipped with the browser itself.
How? Any site wanting to use this option must register to a HSTS preload list. Chromium’s list is used by Chrome and all major browsers, so is the best option. There are certain rules for applying to the list, e.g. having the preloaddirective in the header. Once a domain is accepted, the next version of each browser will include the domain in their list. This is great, because now the browser knows that before any request is made to the site it must use HTTPS. There is no need to “trust on first use”. All major browsers currently support HSTS.


HTTP Public Key Pinning (HPKP)

Using HTTPS is nice, and in most cases it is trustworthy. But what happens if malicious actor uses a valid certificate, which is not the site’s own? This is called a rogue certificate, and gives the attacker the same level of access as if using HTTP. Hijacking HTTPS with this method is far more complicated than hijacking HTTP, so HTTPS is still the best bet for keeping communication secure. HPKP would’ve been another option for tackling this issue. It provides a whitelist of valid certificates (hashes of certificates) for a site. Some instances of real world attacks as well as research by security experts show that HPKP is both a solution and a source of new vulnerabilities, so most major browsers have now dropped support for it.

Content Security Policy (CSP)

Do you want to tell the browser what content (scripts, styles, etc.) can load and how can they behave on your site? CSP lets you do just that. You can whitelist resources so that they can be run or be embedded on your site. CSP has more than 30 directives, each with its own browser compatibility. Most of these directives are supported by major browsers, but it’s worth checking the MDN support list before using a new one. If you don’t want to add a CSP directive manually, you can use a CSP header generator tool which automates the process.

Before highlighting some of the best directives, note that CSP has two major modes to be used in: first there’s CSP which blocks everything not on the whitelist, as expected. This mode while provides safety, can also be the source of much headache when you try to enable your third-party sources one by one, and have a broken site the meantime. CSP-Report-Only on the other hand does all the things CSP can, except it does not block resources, only report any violations found. This comes very handy both when creating the CSP rules, and also when you kind of want a directive, but not too sure if you’d risk to break something if the environment changes.

Fetch directives

These directives define where the specified resources can be loaded from. Resource types include images, fonts, scripts, and many others. The most important resource is default-src which serves as a fallback for all other fetch directives. In case any resource directive is absent, the value provided in default-src will be used. A good start for using fetch directives is to use self as value which disallows cross-domain resources, and then add custom fetch directives for any exceptions. These rules should be the minimum for CSP-Report-Only.

Scripts and styles

Using inline styles (the “style” HTML attribute) is cited as a bad practice, so using style-src self;is a better practice. We can add exceptions here as well, for example use a hash or a nonce.
script-src is also a fetch directive and is one of the most important directives to set correctly. This needs to be strict, but also needs to allow some third parties — Google Analytics for example — to bypass. In this case, using “self” is virtually impossible. An alternative is using a hash, but a hash needs to be updated every time the script changes, which is frequent for third party scripts. Using a nonce (number used once) is probably the best solution. A nonce must be a globally unique cryptographic number, which should be generated and sent every time the server sends a CSP header to the browser. This guarantees the same level of protection as a hash(if we use a nonce that’s hard to guess), but because it is a dynamic number it does not need manual updates.

Thursday, October 10, 2019

Web traffic via chrome and Firefox in danger








Two user favorite browsers are commonly known to be Google Chrome and Mozilla Firefox. Exploiting their demand, a Russian group by the handle of Turla has been attempting to track encrypted traffic of both browsers. With targets identified in Russia and Belarus; they do so by attacking the systems through a remote access trojan (RAT) which stealthily allows them to modify the browsers.
These trojans are believed to be downloaded from both legitimate sites and those that distribute pirated software. However, it is interesting to note that the websites in actuality never had any malicious files to download in the first place. Instead, when the user-initiated a legitimate download, the files were modified during transmission as the connection was being run on HTTP which makes it all the more easier.
Yet another dilemma arises here. How could they sniff all the traffic? To this, they must have compromised an Internet Service Provider (ISP) which given that the group is suspected to be supported by the Russian government is no big feat. To add to this, it is on record that Turla has compromised several ISPs in the past.
Once infected, they install their own digital certificates and then by analyzing the code of both browsers, they patch the pseudo-random number generation function in the memory by adding unique hardware & software based identifiers allowing them to follow the victim’s footsteps all over the internet as shown in the code snippets below.









The malware has been named Reductor and is believed to be a successor of the COMPfun trojan which was discovered in 2014 by Kaspersky Security. Elaborating, they explain “that the original COMpfun Trojan most probably is used as a downloader in one of the distribution schemes. Based on these similarities, we’re quite sure the new malware was developed by the COMPfun authors.”

What makes this attack so mind-blowing is the capabilities that they have exhibited with the infecting files on the fly, something that “places the actor in a very exclusive club”. To swoop in a word of advice, stop downloading files through HTTP and you may just be saved.

This, however, is not the first time when Chrome and Firefox browsers have been targeted in one attack altogether. Last year, Vega Stealer malware was caught stealing saved passwords and credit/debit card data from Chrome and Firefox users.

In another incident, cyber criminals used fake Chrome and Firefox browser update to infect computers of unsuspected Windows users with malware and steal banking/payment card credentials.