In brief: Cisco remote-access gear vulnerable to DoS

Plus: ChoicePoint fined $15 million in identity theft breach; AT&T, Avaya, sign VoIP migration deal; IBM survey finds cybercrime concerns; 3Com has new president and CEO.

Organizations running certain Cisco VPN gear may be susceptible to a remote denial-of-service attack that could knock out network connections for teleworkers or traveling employees accessing a corporate network through the Internet. A flaw in the Cisco VPN 3000 Concentrator could cause the device to reload or drop user connections if an attacker sends a specially crafted HTTP packet to the device, the vendor says.

A software upgrade is required to avoid the vulnerability, and several workarounds can be used to thwart potential attacks. Cisco VPN 3000 concentrators are devices that terminate encrypted connections for remote users accessing a network via the Internet. VPN 3000 concentrators running Version 4.7.0 through 4.7.2.A of the devices’ software are affected by this vulnerability, Cisco says. Software prior to the 4.7 release are safe.

ChoicePoint, the data broker that set off a national debate after disclosing a data breach early in 2005, will pay $15 million in fines and other penalties for lax security standards, the Federal Trade Commission announced last week. ChoicePoint’s $10 million fine is the largest civil fine in the FTC’s history, the FTC said. In a settlement with the FTC, the company also will set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and will implement new security measures and have an independent auditor review its security every other year until 2026.

ChoicePoint said it has taken several steps to improve security since the data breach was announced, including the hiring of an independent credentialing, compliance and privacy officer. The company also has stopped selling products containing sensitive personal information in some markets, it said.

AT&T and Avaya have launched an alliance to migrate businesses to VoIP. Using Avaya gear to run VoIP traffic over AT&T’s IP backbone, the companies hope to smooth the way for customers who want to use VoIP in their businesses but also want to do so with a managed service. While AT&T says its services can interoperate with customer-site gear from other vendors, this alliance offers management of the VoIP network down to the handset. AT&T supports Avaya’s Communications Manager and IP Office, among other products, with its IP Telephony and LAN Services.

Customers can outsource entire VoIP migration projects to AT&T including design, installation and ongoing upkeep. While Avaya gear may be part of the service, customers only deal directly with AT&T.

CA is shuffling its executive ranks, naming technology strategist Mark Barrenechea as its new CTO. Barrenechea joined CA in 2003 after holding several executive positions at Oracle. He initially served as CA’s head of product development before moving last year to the newly created position of executive vice president of technology strategy and chief technology architect. Barrenechea has been a highly visible spokesman for CA, commenting often on industry trends and CA’s business strategy. Barrenechea will continue reporting directly to CEO John Swainson, and will remain in charge of CA’s technology strategy and product architecture.

His duties also will include supervising a research group that focuses on emerging technologies, such as RFID, and coordinates with academic researchers. CA’s former CTO, Yogesh Gupta, is now CA’s senior vice president of business development.

According to an IBM-sponsored survey of 700 participants who have Internet access at work or home, a growing fear about cybercrime is affecting how they engage in e-commerce online or by phone. It’s also keeping some from accessing wireless LAN networks in public locales. Half the respondents say they don’t use shared wireless networks in places such as coffee shops or airports because of concern about cybercrime. Almost three in 10 have stopped reading credit or debit card information over the phone, and 18% have stopped paying bills online. Sixteen percent have stopped playing online games.

3Com has tapped a new president and CEO, R. Scott Murray, who will take over immediately for retiring chief executive Bruce Claflin. Murray was formerly CEO of Modus Media International, a provider of hosted supply-chain management services. Murray also will take over Claflin’s role as chairman of the Huawei Technologies-3Com joint venture, through which 3Com produces many of its large-scale enterprise products for the U.S. market.

Claflin, who announced his retirement plans Jan. 11, had served as 3Com’s CEO and president since 2000. He led the network vendor through several shifts in its enterprise strategy, an exit from the carrier market, a joint venture with Chinese network-gear maker Huawei, and the acquisition of IPS vendor TippingPoint. 3Com is giving Claflin a $3.3 million severance package, the equivalent of two years of his base pay and projected bonuses.