A new Firefox browser plug-in exploits authentication security weaknesses in various popular websites, including Facebook, Twitter, Amazon and Google. The result is that anyone who uses public, unencrypted wireless networks to access those websites now faces a greater risk of data theft.

Plug-ins are common software tools that people use to customize their Internet browsers--to play videos, for example, or to block ads. Many legitimate plug-ins exist. But the new plug-in Firesheep allows users to quietly collect account data sent by other people over an unsecured wi-fi network.

Campus applications, such as the MyUCDavis web portal and the Banner student information system, are not susceptible to this security vulnerability. Campus wireless users can also improve their security by using the campus moobilenetx and resnetx wireless systems, which enhance privacy by encrypting network traffic.

Other suggestions to improve security:

• Access only web applications that support an encrypted service (e.g., HTTPS protocol) to log in and/or to access a program.
• Use the campus Virtual Private Network (VPN) for remote Internet access.
• Use a tethered Internet service through a wireless service provider.

There is also a Firefox browser plug-in that attempts to force secure HTTPS protocol use for capable websites.

Please direct any questions regarding use of the campus VPN service to cr-service@ucdavis.edu. Please direct questions regarding use of the UC Davis Health System VPN service to the Technology Operations Center at 916-734-4357.