Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
Americans cool with lab-grown organs, but not designer babies
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
DDoS Attackers Change Techniques To Wallop Sites
Can we talk? Internet of Things vendors face a communications 'mess'
AMD's profitability streak ends at two quarters
Michaels says breach at its stores affected nearly 3M payment cards
Exclusive: Google's Project Loon tests move to LTE band in Nevada
H-1B loophole may help California utility offshore IT jobs
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
/

Easter eggs and the Trusted Computing Base

Related linksToday's breaking news
Send to a friendFeedback

Sign up to receive this and other networking newsletters in your inbox.

On March 6, I spoke at NATO Headquarters in Brussels in an unclassified security-awareness briefing concerning computer crime implications for national security. The following is a summary of part of my presentation.

The confluence of several security threats has destroyed the Trusted Computing Base (TCB) on which security has depended for the last two decades.

The TCB was the constellation of trustworthy hardware, operating systems and application software that allowed for predictable results from predictable inputs.

Did you know that there is a flight simulator concealed in Microsoft Excel 97? To access this game use the following sequence of commands (detailed by Larry Werring in RISKS Digest 19.53 on January 5, 1998):

  • Open Excel 97.
  • Open a new worksheet and press the F5 key.
  • Type X97:L97 and press the Enter key.
  • Press the Tab key.
  • Hold Ctrl-Shift and click the Chart Wizard button on the tool bar.
  • Once the Easter egg is activated, use the mouse to fly around - right button for forward, left for reverse.

If you have DirectX drivers installed, a bizarre landscape appears and you can "fly" over (or under) the geometric forms by using the arrow keys on your keyboard. If you look carefully in the virtual distance, you can find a stone monitor planted in the ground. If you get close enough, you can see the names of the development team scrolling by.

How much space in the source and object code does this Easter egg take? How much RAM and disk space are being wasted by all the people who have installed and are using this product? And much more seriously, what does this Easter egg imply about the quality assurance at the manufacturer's offices?

An Easter egg is presumably undocumented code - or at least, it's undocumented for the users. I do not know if it is documented in internal Microsoft documents. However, I think the fact that this undocumented function got through Microsoft's quality assurance process is terribly significant. I think the failure implies that there is no test-coverage monitoring in that quality assurance process.

When testing executables, one of the necessary (but not sufficient) tests is coverage - that is, how much of the executable code has actually been executed at least once during the quality assurance process. Without running all the code at least once, one can state with certainty that the test process is incomplete. Failing to execute all the code means that there may be hidden functionality in the program: anything from an Easter egg to something worse. What if the undiscovered code was to be invoked in unusual circumstances and cause damage to a user's spreadsheet or system? We would call such code a logic bomb.

That's bad enough, but it gets worse. Consider the following observations:

  • There is already at least one family of Excel macro virus that alters the contents of cells; the Macro.Excel.Sugar virus randomly inserts silly text into up to 200 cells. This payload is immediately obvious, but more insidious Excel macroviruses might cause subtle problems. For example, a virus could cause shifts in the low-order significant digits of constants - something that might not be noticed in individual cells but which might have significant effects on calculated results.

  • Research projects by Coopers & Lybrand in London, England, showed that 90% of all the spreadsheets with more than 150 rows had errors in them. Research on production spreadsheets by University of Hawaii scientists revealed that in 300 files tested and in experiments with more than 1,000 users, many spreadsheets contained at least one significant formula mistake.

  • In December 1999, Computer Associates issued a warning about the W.95.Babylonia virus, described as an extensible virus whose payload could be modified remotely by its author. The December outbreak of Babylonia in the wild involved a Trojan horse disguised as a Y2K bug fix for Internet Relay Chat users. The Trojan horse would send itself to other users and also poll an Internet site in Japan looking for updated plug-ins to alter the effects of the malicious software.

  • Distributed computing in today's Internet means that most na´ve users accept code from Web sites with little awareness of the dangers of executing unknown and perhaps poorly tested or malicious code on their desktop.

  • Recent distributed denial-of-service attacks have shown how easy it is to install unauthorized code on Internet-connected systems and have that code lie quiescent until instructions are broadcast from a master program on a remote system.

Well then, here's the scenario: Bad Guys infiltrate major software company and install undocumented code in widely distributed spreadsheet software. Faulty quality assurance allows the logic bomb to go into production releases.

The logic bomb in the spreadsheet software receives payload instructions from an Internet connection.

At a specified time, the spreadsheet program alters data in millions of spreadsheets in, say, the U.S. Calculations go awry in subtle but dangerous ways. Since almost no one bothers to document their spreadsheets or provide test suites that can validate the calculations, few people notice the changes.

Business, engineering, medical and academic users make mistakes - they allocate the wrong amounts to investments and inventory, they predict the wrong stresses on bridge components, they calculate bad dosages for patient medication and they assign good grades to bad students.

This situation leads to decreased efficiency in the U.S. economy and is a contributing factor to a national and eventually international recession.

This scenario is an example of asymmetric information warfare - electronic sabotage on a grand scale but for low cost. Winn Schwartau used just this kind of scenario in his 1991 novel, Terminal Compromise - great fun and still available from Interpact (e-mail sherra@gte.net).

So the next time you play with an Easter egg in commercial software, stop and think. Should you express your concerns to the manufacturer, instead of just chuckling over a programmer's joke?

RELATED LINKS

Check out the new "Computer Security Handbook, 4th Edition" edited by Seymour Bosworth and Michel E. Kabay; Wiley (New York), ISBN 0-4714-1258-9. Available now at your technical bookstore or visit Amazon.

M. E. Kabay, Ph.D., CISSP is Associate Professor of Information Assurance in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail by clicking here. He invites inquiries about his information security and operations management courses and consulting services. Visit his Web site for papers and course materials on information technology, security and management.

Information Security Magazine

Freeware Laroux Virus Remover (Excel 97 or later)
for Windows or Macintosh

Downloads: Anti-virus

Archive of Network World on Security newsletters

Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.