Net address bug worse than feared By Maggie Shiels Technology reporter, BBC News, Silicon Valley Attackers could use the loophole to redirect web users to fake sites A recently found flaw in the internet's addressing system is worse than first feared, says the man who found it. Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas. He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways. "Every network is at risk," he said. "That's what this flaw has shown." The DNS acts as the internet's address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (220.127.116.11). Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website. In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited. Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure. "There are a ton of different paths that lead to doom," he said. 'Hype' But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was "not vulnerable". The Silicon Valley company looks after two of the net's 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net "If there is a silver lining in all of this, it's that users will become more aware and more consious of who they do business with." Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them." He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained. Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw. "It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site. "The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited." Security gap Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers. Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing. Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole. "The industry has rallied like we've never seen the industry rally before," said Mr Kaminsky. Computer users need to be educated to surf the superhighway more safely DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours. "Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers. Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax. "The biggest gap in security rests between the keyboard and the back of the chair," he said. "The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly." Mr Silva said education is fundamental in making the net a safer place. "We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in. "Yet when it comes to computer safety we forget to look both ways before crossing the internet highway."