The Taliban Have Seized U.S. Military Biometric Data of Afghan Civilians

*epilepsy warning*|Hatemail: Newsletter and Intel from the LaBac Hacker Collective

The U.S. Military Collected Biometric Data on Afghan Civilians. Now the Taliban Have It.

The Taliban have seized U.S. military biometrics devices containing personally identifying information (PII) on Afghan civilians which also includes information on civilians who assisted coalition forces. It is currently unclear how much of the data has been compromised.

The devices, which were reportedly taken by the Taliban last week during their offensive move into Kabul, are known as Handheld Interagency Identity Detection Equipment (HIIDE). The HIIDE devices allow access to the U.S. military’s Biometrics Automated Toolset System (BATS), a database containing iris scans, facial recognition, biographical profiles, fingerprints, and other sensitive data. 

As an identification tool, the devices were employed by U.S. military personnel during various operations, including intelligence collection and population surveillance. Military personnel used them as a biometric ID to confirm the identities of locals working with coalition forces, to locate and track suspected terrorists, and to help identify Osama bin Laden in 2011. 

Currently, it is unclear if the Taliban has obtained access to PII data through HIIDE devices. Security experts have determined that Taliban forces do not have the resources to use the devices. In order to retrieve any PII information, they would need assistance from another country, like Pakistan’s intelligence agency, Inter-Services Intelligence (ISI), which has historically been speculated to have fostered the Taliban.

The U.S. and Pakistan relationship status in regards to the Taliban? It’s complicated.

Pakistan, which has a long and nearly 1,640 mi (~2,640 km) physical border with Afghanistan, has a convoluted history with the Taliban and the risk of ISI’s support or personal interest in the data is palpable. Pakistan has walked the line between not outright condemnation of the Taliban and concentrated saving face towards the U.S.

You know, the U.S. and Pakistan are, like, frenemies.

Assisting the Taliban in accessing and utilizing the PII data at risk has the potential to shift ally relations between the U.S. and Pakistan and lean into further Taliban-flavored destabilization for Pakistan internationally. Pakistan even has its own homegrown version of the Taliban, Tehrik-i-Taliban Pakistan, colloquially referred to as the Pakistani Taliban linked to the shooting attack on Malala Yousafzai in her campaign for girls’ education.

Human rights advocates and groups have responded to the news of the taken biometric data by advising activists to immediately clear as much of their digital history as possible and to adhere to digital hygiene practices. 

The Taliban’s rapid takeover of Afghanistan in the wake of the U.S. military’s withdrawal has stunned U.S. officials – and the finger-pointing over who’s to blame for the outcome of this 20-year war has already begun. At the time of publishing, U.S. military has evacuated 1,800 people out of Afghanistan since Saturday on several transport aircrafts, according to White House officials. 

Check Out Project ‘Aghaniscan’

Aaron DeVera, a member of our LaBac collective, recently decided to take a snapshot of Afghani IP space using the data analysis tool Observable. The snapshot lists off many IP ranges, archived webpages, and a scan of the various services running on publicly available hosts. They are also making the data freely available to the public. You can find both the snapshot and data here.

Ransomware Attacks and Cybercrime 

  • [InfoSecurity Magazine] [CyberMDX] A new industry study claims that about half of all U.S. hospitals have suffered network interference due in part to ransomware attacks. The report focuses on small-medium sized hospital networks, which are often the preferred target by attackers, and quotes downtime costs of $25,000 an hour.

  • [The Washington Post] [T-Mobile] T-Mobile confirmed on Tuesday that it was the victim of a large breach that compromised data related to over 40-million customers. The hacker, who had previously posted to an underground cybercriminal forum, claims to have obtained backdoor access deep into the T-Mobile network. T-Mobile says the attacker has since been shut out.

  • [FireEye] [ThreatPost] FireEye has disclosed an authentication bypass vulnerability (CVE-2021-28372) affecting millions of Internet of Things (IoT) devices. Separately, Threatpost reports separately that security researchers at Tenable have identified a botnet exploiting a similar authentication bypass (CVE-2021-20090) in IoT devices.

  • [Just Security] Compared to long-standing norms and traditions in war and espionage, cyberware lacks rich historical precedent that the international community agrees on. With a new treaty on cyberspace norms, the United Nations is taking small steps towards internationally agreed-upon behavior, but critics are concerned it could expand government regulation online.

Lost Data and Budget Loopholes in Law Enforcement News

  • [Wired] Yesterday, Wired reported that the New York City Police Department has spent at least $159 million since 2007 on a range of surveillance tools (such as vans equipt to detect weapons, facial-recognition software, and cell-site simulators) with a “Special Expenses Fund” that doesn’t require the typical public oversight implemented over other expenses. 

  • [The Register] [AP News] Last week, the Dallas Police Department revealed that a massive amount of information on criminal cases – 8 terabytes, to be exact – were deleted during a data migration of a network drive. While the police and Dallas city IT department knew about the lost data back in April, the district attorney’s office only learned about the mishap this month. 

  • [Newsweek] A new Washington state bill now requires law enforcement officers to consent to a review of their social media accounts as a condition of their job certification. The reviews are conducted by a representative of the Washington State Criminal Justice Training Commission (CJTC). 

On Our Radar...

  • [Recon Village, DEF CON] From DEF CON’s 2021 (DC29) Recon village earlier this month, this is a great conference talk about how sex workers can utilize open-source intelligence (OSINT) to protect themselves from online harassment.

  • [The Verge] Re-creations of mass shootings are appearing on Roblox, the popular online game platform, and are slipping past the platform’s moderation system. 

  • [Vulture] Reeves Wiedeman looks into a particularly unusual case of a book thief who conducted digital heists for years using various aliases and fraudulent emails. 

  • [New York Times Magazine] This photography spread by the New York Times Magazine profiles some of the now-grown attendees of Camp I Am, a little summer camp for gender-nonconforming children.

Hate speech website: crikey[.]com[.]au

Who hosts: Cloudflare

Today’s site is crikey[.]com.[au]. Crikey is a legitimate news site, but has caught our ire for its consistent stance against transgendered peoples. Their support and platform of trans-exclusionary content is disappointing and outdated.

Crikey’s site is protected by Cloudflare.

CyPurr Session: Back to School (Sat. August 21, 2021 - 11:00am ET)

LaBac ally CyPurr is hosting this event at the Brooklyn Public Library!
School’s In! However you may feel about remote learning, join Cypurr as we talk about ways students can help keep their privacy in mind on their devices while navigating the academically (and socially) rigorous new school year! [RSVP at the library website here.]

SeaGL 2021, Seattle GNU/Linux Conference (Nov. 5-6, 2021)

The Seattle GNU/Linux Conference, SeaGL, is happening November 5-6th this year, fully virtual. This fantastic conference happening since 2013 has a variety of tracks (including a robust security track) that some of the best Pacific Northwest folks speak at. And it’s completely free!

The call for proposals (CFP) is still open until the end of August 19, 2021 here. SeaGL also fosters newer speakers to prepare them to submit and talk, and this is a great conference to be a first-time speaker at.

Toorcon: San Diego 2021 (Oct. 12-14, 2021)

Toorcon, the San Diego mainstay security conference is on for 2021. The CFP and registration have gone live. Per Toorcamp’s site, “This year’s talks will all be 50-minutes in one track on one day and a Demo Day to go in-depth and collaborate on the cutting edge research.” Note: There are limited numbers of tickets per tier and cheaper tickets will go sooner than later. Some LaBac folks will be on-site at Toorcon this year. [CFP and ticket registration here.]

Share hatemail