1/ I think I have the answer! (blogpost at the bottom of 🧵)
Original Q: How was @WhatsApp able to patch a client-side vulnerability of malicious PDF parsing from the server-side, although server is not exposed to PDF content due to End-to-End Encryption (#E2EE)?

https://twitter.com/TalBeerySec/status/1903579983592804364

2/ Short answer: @whatsapp is indeed using @signalapp E2EE protocol, but "cheating" and leaking some metadata from the client side.
But in this case "cheating" benefits the user.
CC: @jsrailton @billmarczak @matthew_d_green @mer__edith @moxie

1/ There is a bigger security lesson here, applied to infosec too:
We often dismiss (e.g. lower CVSS) attack vectors that require proximity.
However, in many cases all it takes to make such attacks feasible is a carrier to bridge the distance
@thegrugq @dinodaizovi @ImposeCost

https://twitter.com/DAlperovitch/status/1929264612723102004

2/ In this case the "local" FPV drones attack was made possible with trucks that bridged the thousands of KMs separating Ukraine and the attacked Russian airbases (and relaying the control protocol over 4G/LTE).

Infosec examples below:

1/ A technical writeup on @Meta’s @WhatsApp privacy issue:
WA leaks victim devices’ end-to-end encryption (E2EE) identity information (mobile device + up to 4 linked devices) to any user, by design, even if blocked and not in contacts.
medium.com/@TalBeerySec/h… 2/ for example it can be applied on Hamas leaders (which obviously I did not have previous communication with)

https://x.com/TalBeerySec/status/1747556980540006446?s=20

1/ A (over-?) simplified summary 🧵 of #Ethereum data signing methods evolution.
data signatures are used for off-chain use cases ("sign in to app") or verified by smart contracts (e.g. ERC20 permit to save gas)
#web3 2/ Eth_sign (legacy): in the beginning, client could sign anything, which of course could allow attackers to serve valid on-chain transactions as data for the victims to sign

1/ Solving the root cause of #GoldenSAML attacks, recently used in #Sunburst attacks.
Don't of scale security "UP", burying #SAML's private key deeper in HSM,
scale it "OUT": distribute it w/ modern crypto (#TSS #MPC)+ service architecture, as we do for #cryptocurrency @ZenGo

https://twitter.com/ZenGo/status/1353704727255642112

2/ Advanced attackers (#APT) steal long term secrets ("the stamp") that allow them to issue access tokens and thus access all services in victims' environment, bypassing all security, including multi-factor auth (#MFA,#2FA)

Abusing #ADFS for #GoldenSAML attack, heavily used by #Sunburst attackers.
To get context, see the fabulous '19 talk @WEareTROOPERS by @doughsec @BakedSec of @Mandiant @FireEye (the irony..)
Slides: slideshare.net/DouglasBiensto…

1/ IT politics is part of the "physics" of the security problem, much like friction, noise and air resistance in the physical world.
An often overlooked aspect of security solutions is that they empower CISOs to mitigate issues without asking others for help

https://twitter.com/jaredhaight/status/1322208309672202242

2/ Per the "Kerberoasting" example mentioned by @jaredhaight, the naive solution would be to just ask service account owners to upgrade password strength.
However, the CISO may have a security solution that monitors Kerberos requests to the DC and blocks massive harvesting

1/ I just published Hitting a CurveBall Like a Pro!
Using #wireshark to detect and hunt #curveball exploits by following the NSA advisory
link.medium.com/JarIb0qQM3 2/ detecting non-standard elliptic curve params

1/ Adding details from #NSO Group request for injunction against #Facebook
#NSOgroup

https://twitter.com/TalBeerySec/status/1199324465517223937

2/ The gist of it: Facebook breached their TOS as it allows blocking only in cases the blocked user actually violated the TOS and requires informing the blocked user