In brief: Cisco remote-access gear vulnerable to DoS

Organizations running certain Cisco VPN gear may be susceptible to a remote denial-of-service attack that could knock out network connections for teleworkers or traveling employees accessing a corporate network through the Internet. A flaw in the Cisco VPN 3000 Concentrator could cause the device to reload or drop user connections if an attacker sends a specially crafted HTTP packet to the device, the vendor says.

A software upgrade is required to avoid the vulnerability, and several workarounds can be used to thwart potential attacks. Cisco VPN 3000 concentrators are devices that terminate encrypted connections for remote users accessing a network via the Internet. VPN 3000 concentrators running Version 4.7.0 through 4.7.2.A of the devices' software are affected by this vulnerability, Cisco says. Software prior to the 4.7 release are safe.

ChoicePoint, the data broker that set off a national debate after disclosing a data breach early in 2005, will pay $15 million in fines and other penalties for lax security standards, the Federal Trade Commission announced last week. ChoicePoint's $10 million fine is the largest civil fine in the FTC's history, the FTC said. In a settlement with the FTC, the company also will set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and will implement new security measures and have an independent auditor review its security every other year until 2026.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Organizations running certain Cisco VPN gear may be susceptible to a remote denial-of-service attack that could knock out network connections for teleworkers or traveling employees accessing a corporate network through the Internet. A flaw in the Cisco VPN 3000 Concentrator could cause the device to reload or drop user connections if an attacker sends a specially crafted HTTP packet to the device, the vendor says.

A software upgrade is required to avoid the vulnerability, and several workarounds can be used to thwart potential attacks. Cisco VPN 3000 concentrators are devices that terminate encrypted connections for remote users accessing a network via the Internet. VPN 3000 concentrators running Version 4.7.0 through 4.7.2.A of the devices' software are affected by this vulnerability, Cisco says. Software prior to the 4.7 release are safe.

ChoicePoint, the data broker that set off a national debate after disclosing a data breach early in 2005, will pay $15 million in fines and other penalties for lax security standards, the Federal Trade Commission announced last week. ChoicePoint's $10 million fine is the largest civil fine in the FTC's history, the FTC said. In a settlement with the FTC, the company also will set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and will implement new security measures and have an independent auditor review its security every other year until 2026.

ChoicePoint said it has taken several steps to improve security since the data breach was announced, including the hiring of an independent credentialing, compliance and privacy officer. The company also has stopped selling products containing sensitive personal information in some markets, it said.

AT&T and Avaya have launched an alliance to migrate businesses to VoIP. Using Avaya gear to run VoIP traffic over AT&T's IP backbone, the companies hope to smooth the way for customers who want to use VoIP in their businesses but also want to do so with a managed service. While AT&T says its services can interoperate with customer-site gear from other vendors, this alliance offers management of the VoIP network down to the handset. AT&T supports Avaya's Communications Manager and IP Office, among other products, with its IP Telephony and LAN Services.

Customers can outsource entire VoIP migration projects to AT&T including design, installation and ongoing upkeep. While Avaya gear may be part of the service, customers only deal directly with AT&T.

CA is shuffling its executive ranks, naming technology strategist Mark Barrenechea as its new CTO. Barrenechea joined CA in 2003 after holding several executive positions at Oracle. He initially served as CA's head of product development before moving last year to the newly created position of executive vice president of technology strategy and chief technology architect. Barrenechea has been a highly visible spokesman for CA, commenting often on industry trends and CA's business strategy. Barrenechea will continue reporting directly to CEO John Swainson, and will remain in charge of CA's technology strategy and product architecture.