Easter will be soon here again and Easter egg hunts will be starting. It is fun and exciting, and at the end, we have the rewarded of an Easter nest filled with chocolate eggs and sweets. Hunting for Easter eggs is happening in the virtual world too. These Easter eggs are hidden surprises which are inserted by developers into things like operating systems, websites, applications and games. This kind of Easter eggs are fun, but can also open up a hidden back door to attackers.
The virtual Easter egg
In the virtual world, Easter eggs are hidden codes that pop up within an application. Often developers or authors hide little funny surprises in their software known as Easter eggs, and so they become a permanent fixture in the application. Even the official software producer is often unaware of them, and they can be discovered quite by chance. To display or run an Easter egg in a programme, you need to use certain key combinations, call up menu items or enter text and carry out certain other actions. For instance, Easter eggs might be pictures, videos, hidden text or even special functions, a secret level or applications hidden within a programme.
No two eggs are alike
The same is true with both Easter eggs and virtual Easter eggs – no two eggs are alike. There is no single definition for Easter eggs and this means that there are many different variants. Some of them are documented internally and are relatively innocuous, but some of them are undocumented and have adverse effects. Easter eggs are hiding in the most diverse applications:
- Video games are where Easter eggs are most widespread. Back in 1979, the developer Warren Robinett was able to build a secret room in the “Adventure” video game made for the Atari game console, which contains a script with the words “Created by Warren Robinett”. It was the first action-adventure game and is also considered to be the first game to contain an Easter egg, but Easter eggs are also often found in movies in the form of allusions to other movies.
- Websites may also contain Easter eggs. One of Google's best known Easter eggs is when you type “do a barrel roll” into the search window. The browser screen then rotates through 360 degrees, or by typing “askew”, the search engine tilts the Google search results page so that everything is on a slant.
- Even Microsoft developers have hidden Easter eggs in old versions of Microsoft Office, contributing their own sense of humour. In Word 97, for example, by entering secret key combinations, you could play pinball, or in Excel 97 you could use a flight simulator to fly over the names of the programme developers which were carved into a virtual cliff. In Excel 2000 there was a motor racing game However, since then, doing this has been officially outlawed by Microsoft under the Trusted Computing Initiative because of the implications for security.
- An "Easter egg" was also discovered in connection with the Stuxnet virus, and Easter eggs were also found in Siemens PLC firmware – the system targeted by Stuxnet. These were embedded in an HTLM file and depicted dancing monkeys. The code was not documented and had not undergone any testing, which clearly called the quality management into question.
The hidden back door with Easter eggs
In principle, however, Easter eggs are relatively harmless, as their aim is not to unleash a harmful action, rather to reveal a fun surprise. However, any undocumented code poses a security risk, as it has no test procedures to be kept secret, and it may open up a potential hidden backdoor for attackers. Besides that, any software with these features is not very trustworthy. This is why many software companies forbid programmers from inserting Easter eggs, or require them to undergo normal source code testing. These are then officially built-in fun features to entertain the users and are no longer secret, hidden messages from the programmer.
The term “logic bomb” often crops up in relation to Easter eggs. Like Easter eggs, logic bombs are also hidden programming code that is deliberately incorporated into the software. Again, there is no universal definition for what a logic bomb is, but unlike Easter eggs, logic bombs initiate a harmful or even a criminal process. The feature of these so-called “logic bombs” is that, in the same way as Easter eggs, they are triggered by entering special data, either at a specific time or via precisely defined actions, and then, unlike Easter eggs, they cause harm.
There have also been instances where former employees have planted logic bombs. One example is a former IT employee of the Fannie Mae mortgage lender who planted a logic bomb. Had it been triggered, it would have deleted countless customers' mortgage data and caused millions of dollars' worth of damage.
What can you do?
Although the majority of Easter eggs are harmless and just undocumented code, they pose a real security risk, and the logic bomb actually aims to do damage. Consider these points in that light:
- When buying new software, we also recommend that you take a look at the software contract. How are non-documented functions or Easter eggs addressed and how are they dealt with? If there is no clause in the contract, it is advisable to ask the manufacturer to include it.
- You can also take precautions against possible unwanted applications (PUA for short), which may be installed directly by employees. You can prevent this by not assigning them the rights needed to do so in the first place. Keep local administrator rights on end devices to a minimum. Application whitelisting can also be helpful, for example by using AppLocker.
- With unknown programmes, it is recommended that the application is first installed in a sandbox and tested before it is used in the operational environment. You can also combine this with reverse engineering to verify that the software does what it is intended to do.
- If you also develop or commission business applications yourself, make sure that security issues are taken into account from the outset of development. You should define security-related actions throughout the entire development process and also monitor their observance, for example, using security architecture reviews and security code reviews. Don't forget either to document all the functions.
How are things like in your company? Have you identified your security vulnerabilities? Our cyber security experts will be pleased to help you. Contact us!
Hunting for “Easter eggs” is fun
Once again this year, lots of children (as well as adults) will be out hunting for Easter eggs. This time, they will probably have to hunt within their own homes. This is what the FOPH recommends, and of course, we fully support that. However, for several years now, the hacker community has also been searching for hidden clues at Easter in the form of a CTF (Capture The Flag) game called “Hacky Easter”, but, they are not actually hunting for Easter eggs, they are searching for flags (solution words) that have been deliberately hidden. For example, these are concealed in images, programmes, network traffic etc. The CTF participants know exactly what they are searching for.
However you decide to spend the Easter holidays – be it hunting for chocolate Easter bunnies and Easter eggs, or searching for virtual Easter eggs – enjoy the holidays. Stay at home and STAY WELL!