Visualisation of time based attacks on DMZ (videos)

Posted on August 24, 2014

Visualisation of two weeks of IPS data

Critical and high significant IPS events detected on a public facing Palto Alto device, visualised using Microsoft Excel Power Map for a period in November and December 2013.

The data is taken from daily detection summaries so although it covers a nearly two-week period has 24 hour time resolutions.

The attacks are differentiated between Spyware and Vulnerability.

Note the fairly constant levels of vulnerability attacks from China, Turkey & Indonesia.

The practical application of such a visualisation in detecting or preventing attacks is limited, however, it provides an effective mechanism to explain the level of attack (directed and random) against the organisation on a pretty much constant basis.



Visualisation of 24 hours of IPS data

Critical and high significant IPS events detected on a public facing Palto Alto device, visualised using Microsoft Excel Power Map for a 24 hour period on the 10th and 11th December 2013.

The source data is per event detected over that 24 hour period.

The attacks are differentiated between Spyware and Vulnerability.

The video shows two types of visualisation, first a “phased decay” where the attack is plotted and then fades away if not detected. This shows the attacks coming and going across the globe with the exception of China which is fairly constant source of attack.

The second segment shows a continuous growth in the sizes of the attack bubbles over the period. This illustrates the overall relative number of attacks from the various sources.

Note the main sources of vulnerability attacks being China, Turkey, Argentina & Indonesia.

The practical application of such a visualisation in detecting or preventing attacks is limited, however, it provides an effective mechanism to explain the level of attack (directed and random) against the organisation on a pretty much constant basis.


Analysing SCCM Logs with Log Parser Studio

Posted on June 21, 2014

Microsoft System Centre Configuration Manager (SCCM) is used in an Active Directory environment to amongst other things deliver patches and antivirus to the servers and workstations.

In a large environment you can have quite a number of SCCM servers operating in tandem to deliver the data to the client devices. Obtaining details in an SCCM environment of exactly which endpoints are being served by which servers (or how busy each server is) isn’t quite as straightforward as one might imagine.  The client devices all connect to the servers through HTTP calls to collect the packages they require. The IIS logs from the SCCM servers can be downloaded and analysed to try to figure out what is happening in the environment.

The IIS logs contain a number of useful fields (a sample included below) :

LogFilename : E:\logs\SCCMP101\SCCMP101\W3SVC1\u_ex140410.log
LogRow : 5
date : 41739
time : 36526.7730902778
c-ip : 10.75.xx.xx
cs-username :
s-sitename :
s-computername :
s-ip : 10.98.xx.xx
s-port : 80
cs-method : GET
cs-uri-stem : /SMS_MP/.sms_aut
cs-uri-query : MPLIST
sc-status : 200
sc-substatus : 0
sc-win32-status : 0
sc-bytes : 608
cs-bytes : 124
time-taken : 15
cs-version :
cs-host :
cs(User-Agent) : SMS+CCM

Further fields such as Cookie, Referer events and process types are present but I found these to be generally blank.  The above example includes the data transferred (sc-bytes and cs-bytes) which were not turned on by default and which I found quite useful. These can be activated in IIS easily enough.

In my use case I obtained the logs from 83 servers which amounted to 2859 files over 254 folders coming to 122GB (uncompressed). The proves to be a little bit of a challenge when I don’t have SQL server installed on my PC or Laptop, MS Access is limited to 2GB database and even SQL Express 2014 is limited to 10GB.

I had previously heard of (but not used) Microsoft Log Parser. A quick search revealed version 2.2 (released some 9 years ago in 2005 – but don’t let that put you off) available for download. Now this is a pretty nifty tool as it understands log files in many different formats (and even plain text files). This saves you from having to clean up the log files to strip out headers (which are written to the logs every time the web server starts / restarts) and from having to combine many different files. A real time-saver.

You can then write SQL-like queries and have them executed against your log files to get your results. Now with data of the size above on my 8 Gig i7 870 @ 2.93GHZ running off a Seagate 2TB 7200rpm SATA drive it takes around 3.5 hours to run a query (know how to speed this up fundamentally do share).  Using Task Manager to monitor the execution of the query shows CPU utilisation of only around 8% (one thread sits at about a 50% utilisation) memory utilisation of between 50MB upwards (as the result set grows) and disk speed varying from about 8MB/s to 30MB/s. So not quite sure where the bottleneck lies.

Writing the queries at the command line is a little bit of a pain so the next bit of genius is the Log Parser Studio.  Unlike Log Parser, the studio is kept up to date, with the latest build being from 23 May 2014. The studio provides a library of queries (over 170)  covering logs from ActiveSync, IIS, Windows event logs, Exchange, Outlook Web access amongst others. Covers a huge number of ideas for useful analysis and provides the queries to do it for you.  What is great is that you can use these, modify them for your own purposes or create your own from scratch, and add them all to your own personal library.

For example, to understand what the patterns of access look like over a month a query such as this can be pretty useful.

/* Server total time and data transferred by date */
SELECT s-ip,date,count (s-ip),sum(time-taken),sum(sc-bytes),sum(cs-bytes)
GROUP BY s-ip,date

A challenge that you quickly come across is that both the Log Parser and the Studio (which is dependent on the Parser) are 32 bit applications so you need to be careful as to which fields and how much summarisation is included in the result set. If the results grow to quickly then the query will crash as it runs out of memory. The trick is to find a balance between too much information (it crashes) and too little information (need to run many queries). Finding the right balance means further analysis can be done in Excel or Access. I have found that 30 000+ rows still works if few enough fields are chosen and some smart queries are used.

When executing the above query a problem is that the bytes transferred exceeds the value that can be stored in the data type, so you end up with negative numbers for some of the lines returned. Rewriting the query as follows assists in resolving this problem :

/* Server total time and data transferred by date */
SELECT s-ip,date,count (s-ip),sum(div(time-taken,60)),sum(div(sc-bytes,1024)),sum(div(cs-bytes,1024))
GROUP BY s-ip,date

Log parser supports a huge number of different functions but you need to know the format to use them. Take a look here for a listing and examples :

So whereas I would have expected sum(time-taken/60) to give me a result in minutes it fails with an unknown field. Even (sum((time-taken)/60) fails. Check the function reference shows that log parser wants it as sum(div(time-taken,60)) and then life is happy again. Running your query again having just spent 3 hours waiting for the last one to complete – a little less so.

Using these tools and queries I was then able to summarise down the 160 gig of source data into a few thousand rows that could be imported into Access and joined to CMDB data to produce really useful intelligence that can be analysed directly in Access, Excel or Gephi. Thanks Microsoft for these great free products.

I was also looking for further pre-built queries for Log Parser Studio but was unable to find any. If you know where such may be found, please do share. If there is interest and as I use the tool more I will be happy to share anything I have created.









The Heartbleed bug : a short presentation given at the Kzn ISACA Chapter Meeting

Posted on June 03, 2014

I was honoured to be asked to make a (short) presentation at the May 2014 KZN ISACA Chapter meeting. The meeting went down well with probably around 25 people attending.

Attached is the PDF of the presentation.

I hope that some of the members present found it useful and that you, my readers, do too.

Feedback as always most welcome.

The Heartbleed Bug ISACA presentation v3


Award winning presentation on director interlocks on the JSE (SAAA conference June 2013)

Posted on July 14, 2013


SAAA biennial conference logo

My MBA dissertation was entitled “An analysis of director interlocks on the JSE -with reference to the top 40 listed companies” and took me quite some years to complete. There were complexities of having to collect all my own data due to inaccuracies in the CIPC database, having to relearn that matrix mathematics that I thought I would never use again after first year university 20 years ago, then figure out how all these analytical tools work.

During the completion process a few people commented that the only people who would ever read the document would be my supervisor and the two examiners (and even then I would be operating on faith). After all the work I had put in this was quite disheartening. When Leo Deodutt (my supervisor) suggested that we create a paper from the dissertation and submit it for the Southern African Accounting Association Biennial Conference to be held in Cape Town in June I jumped at the chance. What an opportunity to get the message out. Leo did a lot of hard work to cut down the dissertation to a 20 page paper, and in the process we had to restrict the paper to just one of the research questions covered in the dissertation. When the comments came back from the blind peer reviewer there was a nomination for best paper award, which was most gratifying. What an honour just to be nominated.

The presentation itself was again a challenge: to try to fit into 20m what took years to research, and to try to simplify the complexities and distil the message to one that can easily be conveyed to a broad audience. In the end this was achieved and the final presentation is attached. Leo is looking for opportunities to further present the work, and it is likely that we will present again at UKZN in the coming months. Mail me if you have ideas of appropriate forums who may be interested.

The day after the presentation I was absolutely thrilled to discover that we did indeed win the best paper award. I am pretty sure I didn’t stop smiling for a week. Thanks to Leo for all his hard work in making this happen.

Enjoy the presentation and leave any questions in the comments or drop me a mail.


Download a copy of the presentation :  SAAA conference June 2013 – director interlocks on the JSE final


Southern African Accounting Association : INTERNATIONAL BIENNIAL CONFERENCE

Posted on May 18, 2013

The SOUTHERN AFRICAN ACCOUNTING ASSOCIATION (SAAA) in collaboration with the INTERNATIONAL ASSOCIATION OF ACCOUNTING EDUCATION AND RESEARCH are presenting an INTERNATIONAL BIENNIAL CONFERENCE THEMED: The challenge of responsible Accountancy Academic Citizenship: The quest to balance teaching, research and academic leadership from 26-28th June 2013 at the LORD CHARLES HOTEL, SOMERSET WEST, CAPE TOWN, SOUTH AFRICA. Website here

I am delighted that a paper prepared from my Masters thesis by my supervisors, Leo Deodutt and myself has been accepted for presentation at the above conference.

During the finalisation of my dissertation there were a number of people who were gleefully reminding me that the examiners and I would probably be the only people who ever read or cared about my research. This didn’t fill me with any joy, so I am truly delighted to have the opportunity to share some of my research. It provides further impetus to the original thinking of publishing the material is a book of some format.

Watch this space :)

UKZN MBA 2013 Presentation : Security & Ethics

Posted on March 02, 2013

On Thursday afternoon I was privileged to speak to the UKZN 2013 MBA class on information security and ethics. Below is a copy of the presentation. Lots of detail in here which we didn’t get to cover in the two hours together, and lots to remind you of the things we shared. I hope you all enjoyed the time as much as I did.

Feel free to mail me or post any questions here.


Download PDF presentation : security and ethics 2013 UKZN MBA Feb 2013


Transversal password cracking with NMAP (without downloading the hashes)

Posted on February 16, 2013

A few months back I discovered that our service desk had become a little “lazy” and were no longer using the defined process (identify user, randomly generate new password, set to change on first use) and were now handing out weak passwords without requiring the users to change them.

In order to assess the extent of the problem I wanted to do a test against the domain to see how wide-spread the problem was. I Google’d around a bit to try to identify a tool which could perform the exercise for me, but didn’t really find anything that looked suitable. I knew that I didn’t want to grab the hashes and do an off-line attack , but wanted instead to do it “live” against the domain, both to avoid the responsibility of having a copy of all the hashes (risk of is too high and as Head of Infosec I didn’t want that on my head)  and also to test the alertness of the security operations centre in detecting the attack.

My criterion was simple, find a tool that given a file of usernames and a file of passwords would test the usernames with the given passwords.

Read the rest of this entry »

Want to download a list of Klout scores for a list of Twitter users? There is an app for that

Posted on January 21, 2013

Update : The tool is not working. I suspect it has something to do with the new methods introduced by Klout where a call first needs to be made to get the KloutID from the Twitter name, then lookup on the Klout ID. Will keep you posted on any progress.

With the TopTwits listings I have been doing I thought it would be good to be able to get the Klout scores in there and see how that changes the rankings for the top users. I also would like to see if I take the #afcon2013 player list how their Klout scores come out. There is a lot of debate around the merits of Klout, I don’t really want to get into that, rather just interested in the correlations.

I had a look at the Klout API and was considering trying to write some excel code to get me the Klout scores so I can just pop it into my Access database. I googled around about to avoid duplicating effort when I found a Windows App which does exactly what I wanted.

You will need to go onto Klout and register for a developer key to get the app to work, but it is simple and does the job.  It was a pain to find the app as googling for it produces and awful lot of junk above the app. Somehow I (luckily) managed to stumble across it, this post is simply to share that fortune and possibly assist others in finding this useful tool.

Thanks Wiggert of ISIZ Labs for sharing.

Oh, and if you download the tool and find it useful, just leave a not of thanks on Wiggert’s blog, I am sure he would appreciate it.


Excel Tool to download Twitter Statistics

Posted on January 20, 2013

I have been interested in analysing various Twitter stats and producing lists of top twitter users ( for some time now and been using various tools to do so. This has been challenging and the results I have been producing have been limited as a result. The tool I have used most is NodeXL,which is more for mapping social networks but has the side effect of being able to download “extended statistics” for each of the Nodes (people) on the network. This however does not give me all of the information I wanted and also works on screen names rather than the Twitter ID’s, so if someone changes their name they fall off my list.

Searching on-line I found that Google Docs spreadsheet provides a function ImportXML which a number of people have been using to bring XML results into a spreadsheet. It appears to have some limits (50 calls per document) which at the time seemed problematic since I was wanting to work with much larger lists. I know better understand some of the Twitter API calls so that limit is less extreme than I first though. Nonetheless I wanted to work in Excel as I am more comfortable with it.

I found online that Excel can import an XML document, and that you can enter a URL there, which includes the ability to enter the Twitter API calls directly. Using the macro recorder I then figured out the calls and put some basic scripting around it to take a column of screen names, break it up into batches of 25 and then execute the XMLImport function for each batch and insert the results into the sheet.

Read the rest of this entry »

Zacon presentation : Game Hacking : Ross Simpson

Posted on October 27, 2012

Unfortunately I missed Zacon this year, again! So far have only heard good things about it. Picked up on Twitter a short while ago that Ross Simpson had presented on “Game Hacking” and had made his presentation available for download, along with a number of the tools referenced. Makes a most interesting read and provides a good history to game hacking and introduction to those who want to get further into it.

Go and download the presentation and take a read here :

Thanks Ross for supporting Zacon, and for sharing a most interesting presentation.

Security considerations for Cloud Computing (ISACA publication)

Posted on October 13, 2012

ISACA has released their latest book on cloud computing : Security Considerations for Cloud Computing, earlier in the week I received notification that my personal copy is with FedEx on it’s way to South Africa for me, one of the perks of being an expert reviewer on the panel for the publication.

This guide is Another publication in the Cloud Computing Vision Series, Security Considerations for Cloud Computing presents practical guidance to facilitate the decision process for IT and business professionals concerning the decision to move to the cloud. It helps enable effective analysis and measurement of risk through use of decision trees and checklists outlining the security factors to be considered when evaluating the cloud as a potential solution.

There are five essential characteristics, three types of service models and four major deployment models taken into account relative to cloud computing. To ensure a common understanding of these models, this publication describes the characteristics of each characteristic and model.

This guide is meant for all current and potential cloud users who need to ensure protection of information assets moving to the cloud.

If you are making any significant use of Cloud Computing I would recommend you get your hands on the publication. It’s free for members to download, otherwise $35 for a hard copy, $70 for non-members.


Cyber Defence and Network Security Africa : Cloud-based Scanning

Posted on July 16, 2012

I am speaking tomorrow (17 July 2012) at the Cyber-Defence and Network Security Africa conference ( at the Crowne Plaza in Rosebank.

Time : 12:15 Cloud-based scanning: A case study from Transnet

  • The need for a supplemental, cloud-based scanning solutions
  • Cloud based scanning: how it works, the benefits, and limitations
  • Implementation challenges and lessons learnt at Transnet

Download a copy of the presentation here : Cloud scanning

Then later in the day I will be participating in a panel discussion with the esteemed Barry Irwin and Kabuthia Riunge. Details of this listed below, should be an interesting 45m.

16:00 Panel discussion: Cyber threats over the horizon and the future of information security

  • The current threats, and how these are likely to evolve over the medium term
  • State and non-state actors and the threats each poses
  • Preparing for cyberwar—what can (and what should) the private sector do
  • The future of cybercrime


  • Barry Irwin, Senior Lecturer, Rhodes University
  • Justin Williams, Principal Specialist: Information Security, Transnet
  • Kabuthia Riunge, Senior Information Security Officer, Central Bank of Kenya

Your twitter account has been hacked? How to fix this (and avoid it happening again)

Posted on July 01, 2012

My Twitter account was “hacked” a number of months back, and the accounts of a number of people I follow have been hacked on a fairly regular basis since. This is unfortunately a regular occurrence and spammers are increasing their efforts to get access to people’s accounts to spam their followers.

How do you know if someone you are following has been “hacked”? 

You will in all likelihood get a direct message from someone you follow which will be a generic message (but interesting or tempting one) which will have an embedded link to a site. Links these days are mostly shortened so you won’t immediately be able to see the final destination site. Clicking on it could be compromising your account and / or delivering up malware to your PC which your Antivirus software may or may not detect. So avoid clicking these.

Common messages that are coming up recently as direct messages include :

  • Twitter might start to charge in July, sign this petition to keep the service free! (link removed)
  • Hi, this user is saying really bad rumors about you … (link removed)
  • Hi some person is saying really bad things about you … (link removed)
  • Hi somebody is posting horrible rumors about you … (link removed)
  • Hey someone is saying nasty things about you… (link removed)
  • Various messages about weight loss or other obvious spam

How do you know if you have been “hacked”?

Your followers will send you messages pretty quickly to tell you, or they will be asking you why you are sending them strange messages (like the ones above). Don’t ignore these or react negatively, thank them for the warning and get on with fixing the problem before more of you followers are spammed and / or compromised.

What to do when you have been “hacked” ?

  1. Change your password.
    • Choose something decent, not a real language word, chuck in some numbers or special characters, and don’t think you are smart by using l33t sp3@k (leet speak).
    • Ra35!!me would be good, whereas P@ssw0rd would be bad.
  2.   Check to see what applications are “authorised” against your account. This can be used to keep sending SPAM even after you have changed your password.
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Apps tab in the left-hand menu.
    • Read down through the list of applications to see that you know about them and trust them
    • If unsure of an application, revoke its access. You can always approve it again later.
  3. Check that if you associated your mobile number with your twitter account you have set up a PIN
    • Log in to your Twitter account on the web and open up your account settings.
    • Click on the Mobile tab in the left-hand menu.
    • Choose a PIN if you don’t have one (mix of 4 numbers and letters)
    • Go to the bottom of the page and click Save changes.
    • If your PIN is OK you will see a confirmation message.
  4. Apologise to your followers. Send them here if they have been “hacked”. Shortlink :
  5. Be vigilant

 How did you get hacked?

You may have clicked on one of the direct message links as per the examples above, or you may have received an interesting tweet or link to :

  • Sign a petition to stop twitter becoming a pay service
  • Save the Rhino, the Dolphins or the World
  • Anything else that looked interesting

If you do inadvertently click on a link, in some cases the URL shortening service (eg. will pop up a warning where they have determined the link to be dangerous. Consider this your guardian angel, say thanks and close the window.

If unlucky, you will end up on the page the attackers want you to. The most recent two I investigated put me on a page on which was a copy of the twitter login page with a timeout message asking me to log in again. If you are unfortunate enough to do so, that’s you toast, proceed to the fix section below :) The sites hosting these fake login pages vary from post to post and are more often than not themselves hacked, with the unlucky owners unaware of what is happening.

Chances are therefore that some website or app somewhere conned you into giving your credentials to Twitter or the app/site so that it could post something on your behalf. It may well be something that you wanted posted, however, it then piggybacks off that to send a whole lot of unwanted stuff. Just be aware, and vigilant, and followup quickly when something happens.

With information security, knowing how to react and clean up is just as important as prevention. It is not a matter of if, but of when your account will be compromised.

Thanks to :

  • Mandy Wilson (@Mandywilson_SA)
  • Samantha (@MetroGalZN)

If you have further comments and insight please leave it in the comments here or tweet me (@jjza). Please share this information (

P.S. To those infosec folks reading this, apologies for my very liberal use of the word “hack”

ISACA 2012 conference happening from 10-12 September 2012, registrations open soon

Posted on June 17, 2012

The ISACA South Africa 2012 conference is happening from the 10-12 September. Diarise the dates, get those purchase requisitions in. If you are wanting to present at the conference then mail Nadine ( – the speaker lineup is being finalised shortly so hurry up to make sure you don’t miss out.

The conference is being held at the Wanderer’s Club in Illovo. It’s right next door to the Protea hotel if you need accommodation, and is also served by the Gautrain and their buses, with a bus stopping right outside the hotel gates.

Hope to see you all there.

Security Summit 2012 presentations now available

Posted on May 24, 2012

The IT Web Security Summit is the premier security event on the South Africa security conference calendar. IT Web has kindly made the presentations and recordings of the presentations available on their website. If you missed out or are simply looking for a re-cap of the great material, take a wander over to the ITWeb site and catch up.

This was one of the first security events that I have seen dedicate a presentation track to ERP/SAP Security. Check out the presentations by :

  • Juan Pablo Perez Etchegoyen Cyber-Attacks on SAP & ERP systems: Is Our Business-Critical Infrastructure
  • Chris John Riley SAP (in)security: Scrubbing SAP clean with SOAP
  • Ian de Villiers Systems Applications Proxy Pwnage
  • Marinus Van Aswegen Securing SAP

Link to IT Web Security Summit Downloads

%d bloggers like this: