BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//bsides-canberra-2025//talk//JTAHUJ
BEGIN:VTIMEZONE
TZID:AEST
BEGIN:STANDARD
DTSTART:20000326T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20060402T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20070325T040000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20080406T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000827T030000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20011028T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20081005T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsides-canberra-2025-JTAHUJ@pretalx.com
DTSTART;TZID=AEST:20250925T110000
DTEND;TZID=AEST:20250925T115500
DESCRIPTION:In today’s AI-driven world\, autonomous agents powered by adv
 anced language models are handling everything from file processing to SQL 
 queries with each capability opening up new attack vectors. In this talk\,
  we draw on our year-long tracking of production-grade agentic AIs (includ
 ing OpenAI’s ChatGPT) to reveal three classes of real-world threats and 
 their defenses:\n\n- Sandbox Escapes & Code Execution: We dissect containe
 rized sandboxes—revealing how malformed file uploads or hidden backgroun
 d daemons can break isolation\, persist code\, or hijack Jupyter kernel.\n
 \n- Steganographic Exfiltration & Indirect Prompt Injection: By embedding 
 malicious prompts into innocuous images or Office documents\, attackers ca
 n coerce multimodal models (e.g.\, GPT-4o) into leaking credentials or dat
 a without user interaction.\n\n- AI-Native MCP SQL Injection: We uncover h
 ow malicious prompts directed at Model Context Protocol (MCP) endpoints ca
 n silently tamper with or exfiltrate entire database backends—quickly ca
 scading into downstream AI pipelines.\n\nWe demonstrate how an LLM-powered
  agents can be compromised by utilizing a proof-of-concept AI agent with t
 hese vulnerabilities\, showing the impact of the exploits and emphasizing 
 the critical need for advanced security measures.
DTSTAMP:20260604T010523Z
LOCATION:Off-Main Track
SUMMARY:From Sandbox Escapes to MCP Database Hijacks: Unveiling Agentic Vul
 nerabilities - Sean
URL:https://pretalx.com/bsides-canberra-2025/talk/JTAHUJ/
END:VEVENT
END:VCALENDAR