Information Technology

The Dallas Independent School District — one of the biggest school districts in the United States — has released an advisory saying the personal data of students and employees was accessed and downloaded during a “data security incident.”The school district serves more than 150,000 students and said in a notice that any student, employee, parent or contractor with the school district since 2010 is affected by the incident. When asked by ZDNet whether this was a cyberattack, the school district would not say. The district received notice of the data security incident on August 8 and said federal law enforcement agencies are now involved in the effort to address what happened. Although the investigation is still ongoing, they believe someone accessed the school district’s network, downloaded data and temporarily stored it on an encrypted cloud storage site. The notice claims the data has been “removed from the site” but does not explain how this was done, whether the data was put somewhere else or sent to someone else. Data that the school district is allegedly “required by law to maintain” was exposed during the attack, including the first and last names, addresses, phone numbers, social security numbers and dates of birth for current and former students, employees and parents. Some students even had information about their custody status and/or medical condition exposed during the attack. 

For employees and contractors, the hackers also gained access to their dates of employment, salary information and reason for ending employment.”Despite our efforts, the district is now one of a growing number of public and private organizations experiencing cyberattacks,” the school district said.”The district’s IT team, assisted by forensic consultants, has addressed specific vulnerabilities that were exploited during this event and will continue efforts to augment security going forward. We regret any inconvenience this incident may have caused and believe it is our responsibility to inform the public that we are taking steps to notify individuals whose records have been impacted.” The district will be updating a website with information about the attack and said anyone who would like to sign up for free credit monitoring should call (855) 651-2605. The hotline is being run by identity protection technology company Kroll, which the Dallas Independent School District hired to manage the aftermath of the attack. The school district said it would be providing more specific information about what data from each person was accessed and would be sending it to Kroll, which could then let people know if they call the hotline. Kroll is offering victims just 12 months of credit monitoring and ID theft recovery services. The school district is creating a website that allows victims to enter their information to access credit monitoring. Victims can also call to activate the monitoring. The credit monitoring website will be available to victims on September 10. “We continue to investigate and remediate this incident. The district is conducting a comprehensive review of its systems and implementing additional security measures. We are confident these changes will decrease the possibility of a future incident,” the district statement explained.  More

CISA released a note this week urging IT teams to update a Cisco system that has a critical vulnerability. The vulnerability affects Cisco Enterprise Network Function Virtualization Infrastructure Software Release (NFVIS) 4.5.1 and Cisco released software updates that address the vulnerability on Wednesday.The vulnerability “could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator,” according to Cisco. The vulnerability is in the TACACS+ authentication, authorization and accounting (AAA) feature of NFVIS. “This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device,” Cisco said.”There are no workarounds that address this vulnerability. To determine if a TACACS external authentication feature is enabled on a device, use the show running-config tacacs-server command.” Cisco urged IT teams to contact the Cisco Technical Assistance Center or their contracted maintenance providers if they face any problems. 

“The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability described in this advisory. The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory,” Cisco added, thanking Cyrille Chatras of Orange Group for reporting the vulnerability.John Bambenek, threat intelligence advisor at Netenrich, said it is a “pretty major problem for Cisco NFV devices that highlights software engineers still struggle with input validation vulnerabilities that have plagued us for almost three decades.” “Easy acquisition of administrative rights on any device should be concerning and organizations should take immediate steps to patch their devices,” Bambenek added. More

US Cybercom has sent out a public notice warning IT teams that CVE-2021-26084 — related to Atlassian Confluence — is actively being exploited.”Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend,” US Cybercom sent out in a tweet on Friday ahead of the Labor Day weekend holiday. A number of IT leaders took to social media to confirm that it was indeed being exploited.Atlassian released an advisory about the vulnerability on August 25, explaining that the “critical severity security vulnerability” was found in Confluence Server and Data Center versions before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.”An OGNL injection vulnerability exists that would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data Center prior to the fixed versions listed above are affected by this vulnerability,” the company said in its advisory. They urged IT teams to upgrade to the latest Long Term Support release and said if that is not possible, there is a temporary workaround. “You can mitigate the issue by running the script below for the Operating System that Confluence is hosted on,” the notice said. 

The vulnerability only affects on-premise servers, not those hosted in the cloud.Multiple researchers have illustrated how the vulnerability can be exploited and released proof-of-concepts showing how it works. Bad Packets said they “detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.”Censys explained in a blog post that over the last few days, their team has “seen a small shift in the number of vulnerable servers still running on the public internet.” “On August 31st, Censys identified 13,596 vulnerable Confluence instances, while on September 02, that number has decreased to 11,689 vulnerable instances,” Censys said. The company explained that Confluence is a “widely deployed Wiki service used primarily in collaborative corporate environments” and that in recent years it “has become the defacto standard for enterprise documentation over the last decade.” “While the majority of users run the managed service, many companies opt to deploy the software on-prem. On August 25th, a vulnerability in Atlassian’s Confluence software was made public. A security researcher named SnowyOwl (Benny Jacob) found that an unauthenticated user could run arbitrary code by targeting HTML fields interpreted and rendered by the Object-Graph Navigation Language (OGNL),” the blog said. “Yes, that is the same class of vulnerability used in the Equifax breach back in 2017. Just days before this vulnerability was made public, our historical data showed that the internet had over 14,637 exposed and vulnerable Confluence servers. Compare that to the current day, September 1st, where Censys identified 14,701 services that self-identified as a Confluence server, and of those, 13,596 ports and 12,876 individual IPv4 hosts are running an exploitable version of the software.”A Censys chart showing how many servers are still vulnerable. 
Censys
“There is no way to put this lightly: this is bad. Initially, Atlassian stated this was only exploitable if a user had a valid account on the system; this was found to be incorrect and the advisory was updated today to reflect the new information. It’s only a matter of time before we start seeing active exploitation in the wild as there have already been working exploits found scattered about,” Censys added. Yaniv Bar-Dayan, CEO of Vulcan Cyber, told ZDNet that security teams need to fight fire with fire as they work to prioritize and remediate this Confluence flaw. Attackers shouldn’t be the first to automate scans for this exploit and hopefully IT security teams are ahead of their adversaries in proactively identifying the presence of this vulnerability and are taking steps to mitigate, Bar-Dayan said. “Given the nature of Atlassian Confluence, there is a very real chance components of the platform are Internet exposed,” Bar-Dayan added. “This means that attackers won’t need internal network access to exploit the RCE vulnerability. A patch is available and administrators should deploy it with extra haste while also considering other mitigating actions such as ensuring no public access is available to the Confluence Server and services.”BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.   More

Amazon’s researcher put together Rigetti’s and IonQ’s quantum processors to generate random numbers that are the basis of cryptography keys.    
Shutterstock / Rawpixel.com
Combining the capabilities of two quantum computers, a researcher from Amazon’s quantum unit Braket has come up with a new way to create truly random numbers that are necessary to protect sensitive data online, ranging from blockchain ledgers to government secrets. Amazon’s research scientist Mario Berta put together Rigetti’s and IonQ’s quantum processors, which are both available through the company’s cloud-based quantum computing services, to generate random numbers that are the basis of cryptography keys.  These keys can in turn be used to encrypt critical data, by encoding information into an unreadable mush for anyone but those who are equipped with the appropriate key to decode the message. Randomness has a fundamental role to play in cryptography: the more random the key is, the harder it is to crack by a malicious actor trying to get their hands on the data. 

There are many ways to generate random numbers, with the most straightforward method simply consisting of flipping a coin and assigning values of zero or one to the two possible outcomes. Repeat the procedure many times, and you’ll find yourself with a totally random string of bits, which you can turn into a secure cryptography key. Manually flipping coins, however, isn’t enough to keep up with the scale of demand for data security. This is why modern cryptography relies on new technologies known as random number generators, which create streams of bits that are used to produce strong cryptography keys.  This is what Berta has now achieved thanks to quantum processors. “Quantum random number generators (QRNGs) hold promise to enhance security for certain use cases,” said Berta in a blog post. 

Of course, security experts have not waited for quantum computers to come along to start working on random number generation for cryptography keys.  For years, classical systems have been used, in which coin flipping is replaced with ring oscillators that create a seed of randomness in the form of a few bits. This seed value is then processed by pseudo-random number generators (PRNGs), which use software algorithms to generate longer sequences of numbers with similar statistical properties than those of the original random numbers. But the method has its shortcomings. Ring oscillators, for example, behave in a way that an attacker equipped with lots of compute power could predict; and PRNGs, which are based on computational assumptions, are also at risk of being second-guessed by hackers. In other words, the randomness generated by classical means is only partial, meaning that it is in principle possible to mathematically solve the cryptography key that is created on top of the numbers. Not so much with quantum-generated numbers. “These potential vulnerabilities of classical technologies for generating randomness can be addressed with quantum technologies that make use of the inherent unpredictability of the physics of microscopically small systems,” said Berta. Berta leveraged a property that is intrinsic to quantum physics by which quantum particles exist in a special quantum state called superposition. In a quantum computer, this means that quantum bits (or qubits) can be a value of zero and one at the same time – but that they collapse to either value as soon as they are measured. Whether qubits collapse to zero or one, however, is random. This means that, even equipped with complete information about the quantum state, it is impossible to know in advance to which value the qubit will collapse when measured.  A given number of qubits, therefore, can provide a string of bits with an equal number of completely random values. “Unique quantum features thereby allow the creation of freshly generated randomness that provably cannot be known by anyone else in advance,” said Berta. The catch is that today’s quantum computers are unreliable and noisy, which can alter the randomness of the quantum effect and defeat the whole point of the experiment. What’s more: information about the noise can leak into the environment, meaning that a potential hacker could find the data they need to figure out the measurement outcomes obtained in the quantum processor. To tackle this issue, Berta used two quantum processors to produce two independent strings of bits which he described as “weakly”. The strings are then processed by a classical algorithm called a randomness extractor (RE), which can combine multiple sources of weakly random bits into one output string that is nearly perfectly random.  Unlike with classical means, the post-processing doesn’t involve any computational assumptions, which could be cracked by hackers. Rather, REs condense physical randomness from the different sources. “So, two independent sources that are only weakly random get condensed by these algorithms to one output that is (nearly) perfectly random,” said Berta. “Importantly, the output becomes truly physically random with no computational assumptions introduced.” Berta predicted that as QRNGs become cheaper and more accessible, they could play an important role in high-security applications, especially as the flaws of classical methods become more apparent.  Earlier this year, for example, researchers from security firm Bishop Fox discovered that up to 35 billion Internet-of-Things devices were at risk due to a classical generator failing to create numbers that were random enough to protect sensitive data. And as compute power increases, random number generator attacks are certain to multiply, rendering existing cryptographic schemes insecure. The prospect of current encryption protocols becoming obsolete, however, is still far off. It would require hackers to gain access to huge amounts of compute power to crack today’s cryptography keys – the kind of power that is expected to be unleashed by quantum computers one day, but not before at least a decade. “State-of-the-art implementations of this classical technology for generating randomness sufficiently address nearly all of today’s needs,” said Berta. It remains that a growing number of companies are thinking further ahead and already starting to strengthen their security protocols by increasing the randomness of their cryptography keys. Verizon, for example, recently trialed a “quantum-safe” VPN between London and Ashburn in Virginia; and quantum software company Cambridge Quantum is working on a method to future-proof critical information stored in blockchains. Berta, for his part, encouraged Braket users to get started themselves, by trying their hand at random number generation directly within AWS’s quantum cloud service. More information can be found in the Braket Github repository. 

Quantum Computing More

Italy is reinforcing its critical infrastructure with a new cybersecurity agency and fresh EU funding.
Image: Getty/Andrea Cherchi
Italy has faced a barrage of cyberattacks in recent weeks. On August 1, the main datacenter of the Lazio region was hit by a ransomware attack, which made many of its online services, including the COVID-19 vaccination-booking platform, inaccessible. All data was encrypted, and attackers requested a bitcoin ransom to allow authorities to recover them. Luckily, technicians were able to restore the stolen data from a backup copy. Less than three weeks later, on August 18, the healthcare agency of the Tuscany region was also targeted by criminals who were able to penetrate its online defenses and destroy some statistical and epidemiological data.

Previously, ransomware campaigns had hit big corporations such as the energy company Enel Group, Campari, Geox, Tiscali, Luxottica, and hospitals such as the Spallanzani in Rome and the San Raffaele in Milan – albeit with limited results. SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now? These, and other episodes, have been a wake-up call for Italian politicians and common citizens alike on the necessity to improve the country’s cyber defenses, despite the Minister of Technological Innovation, Vittorio Colao, having already warned in June that “more than 90% of public administration servers are not secure.” “There’s a legacy issue with local and central public administrations, as they work with very old servers and do not have budgets strong enough to update their network infrastructure,” Luisa Franchina, the president of the Italian Association for Critical Infrastructures, tells ZDNet. Thanks to the EU-funded National Recovery and Resilience Plan (PNRR), this is set to change. Total funding for the plan amounts to €261 billion (including some national funding), of which €11,15bn will be allocated for the “digitalization, innovation and security of the public administration”.

Buying newer and more up-to-date hardware and software will certainly help make life more difficult for attackers; the recently established Agenzia per la Cybersicurezza Nazionale (ACN), which will operate under the direct control of the Prime Minister, should also play a key role. Across the 2021-2027 timeframe, the ACN will oversee a €529m total budget and hire up to 1,000 cybersecurity professionals, starting with 300 employees and then gradually expanding. This compares with just 50 cybersecurity experts who were previously operating under the Department of Information for Security umbrella.  The agency will centralize competencies that were previously scattered among several government bodies and the intelligence services, and will help define and coordinate the Italian cybersecurity strategy. A key component of this strategy will be raising awareness of the issues at stake, and making sure both public and private actors performing functions critical to the safety of the so-called “national cybersecurity perimeter” take appropriate measures to address them. “The problem is not the tool, but the way it is used,” Corrado Giustozzi, a well-known cybersecurity expert in Italy, tells ZDNet. “A great car is useless, if badly driven. We need to focus on improving the processes and the culture.” Giustozzi knows what he is talking about. From 2015 to 2020, he was part of the Computer Emergency Response Team of the Agency for Digital Italy, one of the bodies whose competencies will now partly be taken over by the ACN. In that role, he helped design the minimum cybersecurity guidelines that all Italian public bodies, big and small, need to follow. Those measures contributed to improving a deeply concerning situation: a 2014 report found that only three central public authorities, out of dozens, took data protection seriously enough. Not following the guidelines Unfortunately, the guidelines are not always implemented. In the Lazio-region attack, for instance, the rule not to keep the backup data on the same network as the source was apparently disregarded. The hackers were thus able to delete the backup, which was later recovered, although they could not encrypt it. “We move fast when there’s an emergency, but we do not focus enough on prevention and maintenance,” Giustozzi says.  “This is typically an issue where politics is involved: cybersecurity improvements are not prioritized because, unlike inaugurating a bridge, they are not immediately visible.”

A more widespread issue, which concerns both the public and the private sector, is a skills shortage. In the 2021 Healthcare Security study by cybersecurity company Bitdefender, 74% of respondents said that the number of cybersecurity specialists in the Italian healthcare sector was inadequate. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack And it’s not just healthcare. In his 2019 report, The Italian Cyber Security Skills Shortage in the International Context, Oxford researcher Tommaso De Zan surveyed managers from the consulting, banking and finance, manufacturing, telecommunications, energy, and transportation sectors. De Zan found that 60% of them could not find even one candidate for the cybersecurity vacancies that they had opened, or had otherwise hired candidates that were not qualified. The problem might lie in part in the so-called “experience trap”, which occurs when employers offer jobs requiring many years of professional experience, but no entry-level opportunities. “In the last few years, Italian universities have started to offer cybersecurity master’s degrees. However, graduates find it difficult to be hired, since there are very few junior positions on offer,” De Zan says. It also does not help that there is little official data available. “The first thing to do is to produce a snapshot of the current cybersecurity skills shortage in Italy. Once done, an improvement strategy must be put into place, and the achieved results monitored on an ongoing basis,” he adds. This work falls into the domain of the ACN, which is also tasked with promoting public/private partnerships to train professionals and develop know-how and innovations in the cybersecurity sector. This will happen both in the ‘competence centers’ that are being supported by the Ministry of Economic Development and in new ‘cyber parks’, which will be modeled on the famous Israeli CyberSpark center of Beer-Sheva. “The competence centers will combine and promote the pre-existing knowledge of private and public stakeholders; the cyber parks will focus on research and training, developing new expertise in the process,” Franchina says. SEE: Cybersecurity jobs: This is what we’re getting wrong when hiring – and here’s how to fix it The first cyber park could be created in Sicily, in the area of the former CARA of Mineo, once Europe’s biggest camp for migrants and asylum seekers. Although some improvements had already been made in the past few years, the money inflow coming from the EU, combined with the increased awareness of politicians and industry stakeholders, means Italy is finally ready to make a quality leap in terms of cybersecurity skills and defenses. The challenge is now seizing the momentum without delay. Cybercriminals are also stepping up the attacks, and they’ve already shown that they can be devastating. More

The US Federal Trade Commission (FTC) has ordered the developer of the SpyFone spyware app to delete all data that has been collected. 

On September 1, the data watchdog said that SpyFone, together with the company’s chief executive Scott Zuckerman, are now also banned from the surveillance business and they must delete any information illegally harvested — as well as attempt to notify its victims.  “The stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack,” the FTC says. “The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence.” Spyware, also sometimes described as stalkerware, is usually installed through access to a mobile phone and is able to track a user’s conversations, contacts, emails, harvest GPS location data, and monitor social media, among other functions. Spyware is often marketed as software for monitoring children and employees but may be turned to purposes including spying on partners and family members without their consent.  The FTC alleges (.PDF) that Puerto Rico-based Spyfone, now doing business as Support King, LLC, sold stalkerware that allowed customers to monitor individuals “without the device owner’s knowledge.” Furthermore, the agency claims that Spyfone also “provided instructions on how to hide the app so that the device user was unaware the device was being monitored.” Spyfone and Zuckerman have also been accused of failing to meet basic security standards in protecting the information illegally collected by the apps. In 2018, an unsecured, online server reportedly leaked terabytes of data harvested from Spyfone-infected mobile devices. The exposed information has been added to the Have I Been Pwned search engine. 

“The company promised purchasers that it would work with an outside data security firm and law enforcement authorities to investigate the incident,” US regulators say. “The FTC, however, alleges that the company failed to follow through on this promise.” Support King and Zuckerman are now banned from “offering, promoting, selling, or advertising any surveillance app, service, or business.” The FTC says that this is the first ban of its kind against a spyware app. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security,” commented Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection. “We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.” While the company did not “neither admit nor deny” the allegations (.PDF) laid at its feet, the Electronic Frontier Foundation (EFF), nonetheless, applauded the FTC’s decision. In a separate statement (.PDF), Commissioner Rohit Chopra said, “the FTC’s proposed order in no way releases or absolves Support King or Scott Zuckerman of any potential criminal liability.” ZDNet has reached out to Support King for additional comment and we will update when we hear back. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Facebook is one of those thing that I have a love/hate relationship with. I find it a great way to keep in touch with people, but it can quickly turn into a hellstew at any moment.

And it’s not just the ads. It’s the spam, the prompts for games and quizzes, videos popping out all over the place, and all the other distracting random stuff designed to steal my precious hours on this earth.One of the best things that I did to improve my Facebook experience was to install a browser extension called FB Purity.I honestly think that without this I would have dumped Facebook a long time ago.Must read: Facebook is the AOL of 2021FB Purity is a browser extension that, as the makers put it, “helps you to take control of your Facebook experience.”Who doesn’t need some of that in their life?

There’s so much built into FB Purity that it’s hard to know where to start, so I’ll just cover the features that I find useful.There’s a text filter system that lets you filter out specific keywords/phrases. This is great for making things like political posts and anti-vax/5G conspiracy tinfoil hat garbage evaporate.There’s also a powerful image content filter that lets you filter out images of cats, dogs, selfies, babies, memes, food, and smoking. It also allows you to create custom image content filters.With a few clicks you can hide all of the following: Events, Games and App Requests, Recommended Pages, Suggested Groups, People You May Know / Find More Friends, Get Connected, Pokes, Friend Requests, Birthdays, Chat, Trending Topics / Trending Hashtags, Businesses For You, Stories, Watchlist.I no longer get invites to play games, which is just super.FB Purity will also tell you on your list has deleted, unfriended or blocked you. This can reveal some interesting trends, but on the whole I’m not that bothered by what other people choose to do.FB Purity is only available for desktop browsers — Mozilla Firefox, Google Chrome (and any Chromium-based browser), Edge, Safari, Opera, Brave and Maxthon — and runs on Windows, macOS, Linux, and  Chrome OS (so unfortunately there’s no version for iOS/Android).FB Purity is donationware, so if you like it, you can donate to keep the project moving forward.I’ve had FB Purity installed on my desktops and laptops for several years. The browser extension is solid and reliable, and is updated regularly. There are a few unsupported features currently because of the new Facebook look, but on the whole it does an excellent job.

Social Networking More

One of the directors involved in the BitConnect cryptocurrency Ponzi scheme has pleaded guilty to his role in the conspiracy.

This week, the US Department of Justice (DoJ) said that Los Angeles resident Glenn Arcaro has pleaded guilty to the charge of conspiracy to commit wire fraud. Together with the forfeiture of criminal gains, Arcaro faces a maximum penalty of 20 years in prison.The 44-year-old was accused of playing a part in BitConnect, an unregistered securities offering and cryptocurrency scheme that collapsed in 2018. BitConnect promised investors high returns based on investments leveraging market volatility, but in order to participate, traders had to purchase BitConnect Coins (BCC) through Bitcoin (BTC) deposits.  When BitConnect closed, without warning, the price of BCC plummeted and users were unable to access their funds.  At the time, BitConnect operators cited bad press, distributed denial-of-service (DDoS) attacks, and the scrutiny of US regulators as reasons for its exit. Law enforcement then set to work tracking down the scheme’s operators.The DoJ says that investors in the US and abroad lost over $2 billion in what is considered to now be “the largest cryptocurrency fraud ever charged criminally.” In front of US Magistrate Judge Mitchell Dembin, Arcaro admitted to fraudulently conspiring with others to promote the cryptocurrency scam, as well as misleading investors over the proprietary software BitConnect apparently used to track the market and ensure profit.

“In truth, BitConnect operated a textbook Ponzi scheme by paying earlier BitConnect investors with money from later investors,” prosecutors say. As a director, Arcaro took a slice of every investment made through BitConnect’s pyramid lending programs. As much as 15% of each trade went into his pocket and he eventually earned over $24 million. “Arcaro has accepted responsibility for his actions of defrauding thousands of individuals worldwide to invest in BitConnect,” commented Special Agent in Charge Eric Smith, FBI Cleveland Field Office. “He lined his pockets with millions of dollars, money from victims that believed their funds were being invested into a new cryptocurrency with a high rate of return.” In June, SEC charged five alleged members of the BitConnect promoter pool. The regulator claims that in 2017 and 2018, the five promoted and sold securities through the BitConnect lending program, which promised investors returns as high as 40%. Marketing consisted of YouTube content, social media, and ‘testimonials’. The promoters each earned between $475,000 and $1.3 million in commission.  The US Securities and Exchange Commission (SEC) has also filed a complaint against Arcaro and BitConnect founder Satish Kumbhani. The regulator is seeking injunctions and civil penalties. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More