Frank Allenby

Bio

My name is Frank Allenby; I was an analyst at SensePost for a bit More than two years. I’ve performed many penetration tests throughout the country (and other countries too), and have a fair amount of knowledge in-and-around the Infosec industry.

I very much enjoy the human aspect of things, and abuse thereof. I also really like development, and developing projects around my needs.

Talk: Breach huffing; a culinary exploration of data breaches

My BSides talk will be focused around data breaches and aimed at a 45-minute slot. It will be inclusive of my experience working with and around them, aspects of their usefulness to the security industry, fun ways to make use of the data to find things you weren’t expecting or didn’t think about, and a few bits about the breach underground and its operations. I may be demoing our project if required, or if you or the attendees are interested in it. It is to be noted that this project will at no foreseeable point become available to the general public. It’s kind of a medium-dive into data breaches and some bits of deep-diving. Also a whole lot of shallow-diving. I will try to cover as much around the topic as possible while still going into depth in the interesting bits.

I feel that this talk would be of value to BSides and its attendees since data breaches cause a whole lot of noise, and everyone loves them (except those whose data has been breached), though few people know much about them or what the whole thing entails. This talk would provide a good baseline of the state of data breaches, their use, and some cool stuff you can do with them. From there, the attendees may have their own ideas. I’m also open to questions and dialogue around this, and other work.

Additional Information Provided

I very much enjoy the human aspect of things, and abuse thereof. I also really like development, and developing projects around my needs.

Once such project I’ve been working on for over a year in various manners and increments ( the server’s hard-drives failed once =[ ), is a data breach indexing system. In its current state, I am storing roughly two billion records of breached data from various public and probably-public-enough sources.

I have written an interface and API to query this data, which is effectively HTML, CSS, and Javascript with AJAX calls to the API.

The project has evolved quite a bit over the last year, starting with a Postgres database hosting about 400m records thrown together in a day, with a Python Flask-based backend, to our Google BigQuery-based implementation. Our entire architecture is serverless, and we make full use of cloud-based solutions to this end. This enables us to care less about the security of our boxen – because there are none – and more about the security of the aspects we can control. What this means in the end is that we only really need to secure our API properly, and Google handles the hard parts.

From a security standpoint, this is pretty much a dream. I don’t really have to worry about my boxen being pwned, and that really helps me sleep. Plus, I don’t need to hyper-optimise everything manually since Google does that for me. Win-win. Plus, it is quite a bit cheaper, surprisingly.