No Place to Hide: Stopping SteganRTP Attacks
Transcript of No Place to Hide: Stopping SteganRTP Attacks
No Place to Hide:Stopping SteganRTP Attacks
NetSecure 2011March 25, 2011
About Paul SandSVP, IP3, Inc.
◦ 25 Years of Telecommunications Experience
Bell Labs, AT&T, Lucent Technologies, Salare Security
◦ Co-Chair, ISA UC Security Project, “Automating Security Controls”
◦ Co-Author, ANSI’s The Financial Management of Cyber Risk
◦ Program Director, FBI InfraGard Chicago
◦ Member, US Secret Service Electronic Crimes Task Force
◦ UL Security Council Member
About IP3, Inc• Provide World Class Coverage of Emerging
Technologies for Information Assurance and IT Security
• Client Base:Government – US Navy, US Air Force, US Army, Federal
Reserve and US Treasury
Universities -- University of Dallas, George Washington University, Drexel, Pace University, IIT, Portland State University, Rochester Institute of Technology
Associations -- InfraGard, ISACA, ISSA, ASIS, AHIMA
Fortune 1000 Companies – Office Depot, MasterCard, Prudential, Aramark, EDS, Lockheed Martin, Booz Allen, Capital One, Accenture
Threat Surface Area 10x↑, No Security
Converged Net
Public Data Net
Public VoIP NetPSTN
SBC
FirewallIDS/IPSDLP
MarginalMedia Security
No Media Security Media Gateways
Real-Time Media Ignored
Why?• Media Media Gateways Transcode Media
Content
• SBCs Protect the VoIP Network
• No Significant Media Gateway Vulnerabilities
Yet Identified
LatencyDelay
JitterConsistency in Delivery Time
LossDropped Information
Network Parameters
Quality Impact
Real-Time Data
Major
Major
None Major
None
None
Is There an Economic Mitigation?
Significant
PacketInspection
Impact
None
Real Time is Different!
What’s the Reality?
• Transcoding does change things – but not
always and probably not often
• SBCs do not protect the media stream
• No one is looking for Media Gateway
vulnerabilities
• VoIP is viewed as the asset under attack,
not the means of the attack
No one is looking for Media Stream Exploits
• There is an Economic Mitigation
Border Controller
Border Gateway
SIP SIP
RTPRTP
DOS FuzzingPin Holes
SBCs and Real-Time Media
Size Codec
Media is Virtually Un-secured
Media is 97% or More of the Traffic!
Data Can flow through VoIP inside RTP!!
The Exploit: SteganRTP
User Agent
User Agent
VoiceVoice
Data• Sent File• Chat• Remote Shell
SteganRTPClient
SteganRTPClient
Data• Sent File• Chat• Remote Shell
• Natural RTP Stream• Encrypted Malicious Payload• Steals Least Significant Bit
Impact of Successful Exploitation
• Stolen Intellectual Property
• Lost Military Intelligence
Volumes of F-32, VH71 design info was leaked
• Lost Corporate Intelligence
– Product Roadmaps
– M&A
– Bid Information
• Disclosure of PII
– Employees
– Business Partners
• Networks shutdown throughCovert Control
The Solution: vPurity™
Uses Three Approaches:• FlowSpect™ Technology
• Payload Based
• Unencrypted Channels
• vTect™ Technology• Packet Based
• Encrypted/Unencrypted Channels
• Active Network Behavior Analysis• Channel Distortion
• Encrypted/Unencrypted Channels
Stops Data Transmissions in VoIP
FlowSpect™ Technology
• Samples contiguous payload bytes:
Ex: 0x67, 0xf6, 0x7b, 0x7e, 0xf1, 0x6e
• Calculates statistical view of the sample
• Determines payload type
Voice vs. non-Voice
vTect™ Technology
• Pairs RTP Streams into “Hyper Flow”
• Examines: Inter-arrival, Payload Size,
Balance of “Hyper Flow”
• Determines Flow type:
Voice vs. non-voice
Active NBA
• Stimulate transmission
• Observe response/non-response
• Repeat if necessary
• Determine flow type
Voice vs. non-voice
aData vPurity™
Salare Security Confidential
Network Behavior Analysis
SBCvPurity™Appliance
SBC
vPurity™Appliance
SBCvPurity™
Appliance
SBC
vPurity™Appliance
Enterprise VoIP Network
Carrier VoIP Network
SIP Trunks
Deploying vPurity™ Appliances
Redundant vPurity™ Appliances Per Interface AreRecommended for Maximum Availability
vPurity™Appliance
SBC
vPurity™Appliance
IP-PBX+ MG
vPurity™Appliance
IP-PBX+ MG
vPurity™Appliance
PSTN
ISDN PRI
L2 – DevicePhysical ByPass
SBC
Questions & Contact InfoAsk me for a copy of a white paper.