InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Easter will be soon here again and Easter egg hunts will be starting. It is fun and exciting, and at the end, we have the rewarded of an Easter nest filled with chocolate eggs and sweets. Hunting for Easter eggs is happening in the virtual world too. These Easter eggs are hidden surprises which are inserted by developers into things like operating systems, websites, applications and games. This kind of Easter eggs are fun, but can also open up a hidden back door to attackers.
In the virtual world, Easter eggs are hidden codes that pop up within an application. Often developers or authors hide little funny surprises in their software known as Easter eggs, and so they become a permanent fixture in the application. Even the official software producer is often unaware of them, and they can be discovered quite by chance. To display or run an Easter egg in a programme, you need to use certain key combinations, call up menu items or enter text and carry out certain other actions. For instance, Easter eggs might be pictures, videos, hidden text or even special functions, a secret level or applications hidden within a programme.
The same is true with both Easter eggs and virtual Easter eggs – no two eggs are alike. There is no single definition for Easter eggs and this means that there are many different variants. Some of them are documented internally and are relatively innocuous, but some of them are undocumented and have adverse effects. Easter eggs are hiding in the most diverse applications:
In principle, however, Easter eggs are relatively harmless, as their aim is not to unleash a harmful action, rather to reveal a fun surprise. However, any undocumented code poses a security risk, as it has no test procedures to be kept secret, and it may open up a potential hidden backdoor for attackers. Besides that, any software with these features is not very trustworthy. This is why many software companies forbid programmers from inserting Easter eggs, or require them to undergo normal source code testing. These are then officially built-in fun features to entertain the users and are no longer secret, hidden messages from the programmer.
The term “logic bomb” often crops up in relation to Easter eggs. Like Easter eggs, logic bombs are also hidden programming code that is deliberately incorporated into the software. Again, there is no universal definition for what a logic bomb is, but unlike Easter eggs, logic bombs initiate a harmful or even a criminal process. The feature of these so-called “logic bombs” is that, in the same way as Easter eggs, they are triggered by entering special data, either at a specific time or via precisely defined actions, and then, unlike Easter eggs, they cause harm.
There have also been instances where former employees have planted logic bombs. One example is a former IT employee of the Fannie Mae mortgage lender who planted a logic bomb. Had it been triggered, it would have deleted countless customers' mortgage data and caused millions of dollars' worth of damage.
Although the majority of Easter eggs are harmless and just undocumented code, they pose a real security risk, and the logic bomb actually aims to do damage. Consider these points in that light:
How are things like in your company? Have you identified your security vulnerabilities? Our cyber security experts will be pleased to help you. Contact us!
Once again this year, lots of children (as well as adults) will be out hunting for Easter eggs. This time, they will probably have to hunt within their own homes. This is what the FOPH recommends, and of course, we fully support that. However, for several years now, the hacker community has also been searching for hidden clues at Easter in the form of a CTF (Capture The Flag) game called "Hacky Easter", but, they are not actually hunting for Easter eggs, they are searching for flags (solution words) that have been deliberately hidden. For example, these are concealed in images, programmes, network traffic etc. The CTF participants know exactly what they are searching for.
However you decide to spend the Easter holidays – be it hunting for chocolate Easter bunnies and Easter eggs, or searching for virtual Easter eggs – enjoy the holidays. Stay at home and STAY WELL!