The flaw wasn't in the site itself, it was in the back-end machines responsible for guiding computers to that site. The vulnerability Kaminsky found is especially insidious because it allows criminals to tamper with machines whose reliability and trustworthiness is critical for the internet to function properly.

Kaminsky, who spoke on Wednesday at the Black Hat hacker conference in Las Vegas, has given few details publicly about the vulnerability he found in the Domain Name System (DNS), a network of servers used to connect computers to websites. He remained tightlipped so that internet providers would have time to fix their machines. Many have done that, but others have delayed, leaving some people at risk. Major vendors like Microsoft, Cisco Systems, Sun Microsystems and others have issued patches - software tweaks that cover the security hole and prevent affected machines from ingesting the bogus information hackers are trying to feed them.

"The industry has rallied like we've never seen the industry rally before," Kaminsky said. Kaminsky's talk at the conference was packed, with people sitting on the floor of the main speaker's hall and overflowing out the back doors. His presentation instantly became one of the Black Hat conference's most anticipated after he announced on July 8 that he'd found a major weakness in DNS, a critical part of the internet's plumbing.

While some details leaked out early - security researchers accurately guessed parts of Kaminsky's discovery - he was able to keep a few juicy bits secret until the talk. One of those was the susceptibility of many email servers to the DNS vulnerability, an opening that gives criminals a way to plant themselves in the middle of the transmission from the sender to the recipient and redirect messages to their own servers, Kaminsky said. The result: criminals have a way not only to comb through the contents of those messages, but also to gain access to other password-protected websites the victims belong to.

That's because most sites have a feature that allows members to retrieve their passwords by email if they've forgotten them. If a criminal has access to the account where that message is sent, he can then begin snooping on the contents of that account, from e-mail, to banking, to retailer sites. The thrust of the DNS flaw is that it allows hackers to attach bad information to packets flowing in and out of DNS servers so they change the directions they give to certain websites.

It's the equivalent of turning around a street sign to send drivers down the wrong street. So someone who innocently types in the address of a legitimate website can be strong-armed instead into going to a malicious site under the criminal's control. Because the attack happens at the network level, and the browser believes it's visiting the legitimate site, the attack is nearly impossible for users to detect. Many email servers are vulnerable because they also handle DNS traffic, Kaminsky said. Even if they only handle internal inquiries, if they interact with external DNS servers, that's often enough to expose them to attack.

Hackers are thus able to manipulate the packets associated with email traffic the same way they manipulate the packets associated with general web traffic. AP