No Place to Hide:Stopping SteganRTP Attacks

NetSecure 2011March 25, 2011

About Paul SandSVP, IP3, Inc.

◦ 25 Years of Telecommunications Experience

Bell Labs, AT&T, Lucent Technologies, Salare Security

◦ Co-Chair, ISA UC Security Project, “Automating Security Controls”

◦ Co-Author, ANSI’s The Financial Management of Cyber Risk

◦ Program Director, FBI InfraGard Chicago

◦ Member, US Secret Service Electronic Crimes Task Force

◦ UL Security Council Member

About IP3, Inc• Provide World Class Coverage of Emerging

Technologies for Information Assurance and IT Security

• Client Base:Government – US Navy, US Air Force, US Army, Federal

Reserve and US Treasury

Universities -- University of Dallas, George Washington University, Drexel, Pace University, IIT, Portland State University, Rochester Institute of Technology

Associations -- InfraGard, ISACA, ISSA, ASIS, AHIMA

Fortune 1000 Companies – Office Depot, MasterCard, Prudential, Aramark, EDS, Lockheed Martin, Booz Allen, Capital One, Accenture

Threat Surface Area 10x↑, No Security

Converged Net

Public Data Net

Public VoIP NetPSTN

SBC

FirewallIDS/IPSDLP

MarginalMedia Security

No Media Security Media Gateways

Real-Time Media Ignored

Why?• Media Media Gateways Transcode Media

Content

• SBCs Protect the VoIP Network

• No Significant Media Gateway Vulnerabilities

Yet Identified

LatencyDelay

JitterConsistency in Delivery Time

LossDropped Information

Network Parameters

Quality Impact

Real-Time Data

Major

Major

None Major

None

None

Is There an Economic Mitigation?

Significant

PacketInspection

Impact

None

Real Time is Different!

What’s the Reality?

• Transcoding does change things – but not

always and probably not often

• SBCs do not protect the media stream

• No one is looking for Media Gateway

vulnerabilities

• VoIP is viewed as the asset under attack,

not the means of the attack

No one is looking for Media Stream Exploits

• There is an Economic Mitigation

Border Controller

Border Gateway

SIP SIP

RTPRTP

DOS FuzzingPin Holes

SBCs and Real-Time Media

Size Codec

Media is Virtually Un-secured

Media is 97% or More of the Traffic!

Data Can flow through VoIP inside RTP!!

The Exploit: SteganRTP

User Agent

User Agent

VoiceVoice

Data• Sent File• Chat• Remote Shell

SteganRTPClient

SteganRTPClient

Data• Sent File• Chat• Remote Shell

• Natural RTP Stream• Encrypted Malicious Payload• Steals Least Significant Bit

Impact of Successful Exploitation

• Stolen Intellectual Property

• Lost Military Intelligence

Volumes of F-32, VH71 design info was leaked

• Lost Corporate Intelligence

– Product Roadmaps

– M&A

– Bid Information

• Disclosure of PII

– Employees

– Business Partners

• Networks shutdown throughCovert Control

The Solution: vPurity™

Uses Three Approaches:• FlowSpect™ Technology

• Payload Based

• Unencrypted Channels

• vTect™ Technology• Packet Based

• Encrypted/Unencrypted Channels

• Active Network Behavior Analysis• Channel Distortion

• Encrypted/Unencrypted Channels

Stops Data Transmissions in VoIP

FlowSpect™ Technology

• Samples contiguous payload bytes:

Ex: 0x67, 0xf6, 0x7b, 0x7e, 0xf1, 0x6e

• Calculates statistical view of the sample

• Determines payload type

Voice vs. non-Voice

vTect™ Technology

• Pairs RTP Streams into “Hyper Flow”

• Examines: Inter-arrival, Payload Size,

Balance of “Hyper Flow”

• Determines Flow type:

Voice vs. non-voice

Active NBA

• Stimulate transmission

• Observe response/non-response

• Repeat if necessary

• Determine flow type

Voice vs. non-voice

aData vPurity™

Salare Security Confidential

Network Behavior Analysis

SBCvPurity™Appliance

SBC

vPurity™Appliance

SBCvPurity™

Appliance

SBC

vPurity™Appliance

Enterprise VoIP Network

Carrier VoIP Network

SIP Trunks

Deploying vPurity™ Appliances

Redundant vPurity™ Appliances Per Interface AreRecommended for Maximum Availability

vPurity™Appliance

SBC

vPurity™Appliance

IP-PBX+ MG

vPurity™Appliance

IP-PBX+ MG

vPurity™Appliance

PSTN

ISDN PRI

L2 – DevicePhysical ByPass

SBC

Questions & Contact InfoAsk me for a copy of a white paper.