From the mosaic theory to the stuxnet case

With the term of Mosaic theory we refer the method used in security analysis to gather information about a corporation. A natural extension of the method hit its application to ordinary life. Mosaic theory involves collecting information from different sources, public and private, to calculate the value of security.

The key concept is the collection and analyzing of huge quantity of information apparently unrelated. Images of a CCTV camera, some pictures on favorite social network, a series of post exchanged here and there on the web …  all those information gathered over the years and to refer to any kind of research. The technological evolution has endowed us with things that made ​​it easy to implement a so futuristic and powerful theory :

• the availability of virtually unlimited storage
• increasingly powerful computer systems
• implementation of algorithms developed for the correlation of information

Any information is ideally turn a piece of a mosaic can be handled appropriately and give shape to surprising results that lead to the discovery of new information on the reality in analysis.

Let’s try for example to exasperate the concept of research … let’s use as ingredients “Stuxnet virus” , add the “visit of President Ahmadinejad at a nuclear facility back in 2008”, and crossed it all with a couple of pictures that were posted on the official website of the President. How are these information correlated?

The expert security Ralph Langner has demonstrated that paying attention to some of these images is possible to catch some meaningful details regarding the processes used inside the nuclear site, like its internal structure and number and disposition of its components. All this information are really useful to perform a cyber attack against this site.

As a brief recap, a first-generation Iranian uranium enrichment cascade consists of 164 centrifuges that are not simply piped in a serial fashion but in groups, which are called stages. Centrifuges within one stage are piped in parallel.  The resulting overall pattern is a belly-shaped curve. The exact shape of an IR-1 cascade was not publicly known but was computed in approximation by Alexander Glaser from Princeton, based on revelations of a talkative Gholam-Reza Aqazadeh who let the world know that Iran used to group their IR-1 cascades into fifteen stages. From the IR-1 cascade structure computed by Alex we were able to link Stuxnet’s 417 attack code to Natanz – the match was simply too good to be a coincidence.

More information can be found in detail analyzing the photos that recall the president in front of a screen of the SCADA system present in the control room. Are clearly visible on the screen a series of green dots that represent the active centrifuges arranged in 4 rows, the provision reflects exactly the internal structure of the nuclear site.

We have found an exact match with the cascade structure as coded in Stuxnet.

The green dots that you see on the displays are operational centrifuges. There are four rows of green dots (and centrifuges) because this is how they physically group centrifuges in Natanz, as it can be determined easily by looking at the walk-around pictures of the 2008 presidential visit. Look closely at the grey columns below the green dots, highlighted in the detail view by added red arrows. It is easy to see that the column size varies. The rightmost column spans one green dot, the second rightmost column two green dots, then three dots, then four, then five, then six, and then it goes back to five, with the left column edge being overwritten by the ending “r” of the President’s URL. After having looked at the pimped up detail view it is even easy to see in the original photograph, right?

Now multiply the column sizes with four, because every column contains four centrifuges. That makes 4, 8, 12, 16, 20, 24, 20. Did we see this before? Yes, that’s exactly the cascade structure as coded in Stuxnet. It also suggests that stage 15 in Natanz is using the rightmost four centrifuges being piped together, stage 14 the next eight centrifuges, and so forth (in Farsi they are writing from right to left).

Excellent isn’t it? Seemingly insignificant information, locate on different time axis, help to provide basic details related to one of the main mystery in the past few months.

While in the past the collection of information was related to a few areas, today we move along each axis of interest and the analysis no longer about the single individual but the totality of population.
This of course has positive and negative aspects that we can well imagine.

Pierluigi Paganini

References

http://wlcentral.org/node/2381

http://www.langner.com/en/2011/12/07/the-prez-shows-his-cascade-shape/

http://www.yalelawjournal.org/images/pdfs/358.pdf