BSides Toronto 2025

We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk.

The Model Context Protocol (MCP) unlocks powerful tool use for LLMs—but it also widens the blast radius: arbitrary tool calls, untrusted context, and exfil-prone plugins. This talk introduces a Zero-Trust MCP Server Gateway that sits between LLM agents and MCP tools to enforce policy, isolate risk, and add observability. We’ll cover identity for agents and tools, per-tool allow/deny lists, schema validation, and least-privilege scopes.We’ll map MCP server security controls to AI risks (prompt injection, sensitive information disclosure, insecure tool use). Attendees leave with a reference architecture for secure MCP server deployment.

The global acceleration in quantum computing research and development presents a fundamental shift in the threat landscape for cybersecurity. For decades, organizations have relied on classical cryptographic algorithms—such as RSA, ECC, and Diffie-Hellman—to secure sensitive data, protect identities, and ensure the confidentiality and integrity of communications. However, the advent of cryptographically relevant quantum computers (CRQCs) poses an existential threat to these algorithms. With quantum algorithms like Shor’s and Grover’s, adversaries will be able to break widely used encryption and signature schemes at scale, rendering current protections obsolete.
This evolving risk makes the transition to quantum-safe cryptography not just advisable, but essential. The process of securing environments against future quantum threats—known as Quantum-Safe Discovery and Remediation—is a structured approach that involves identifying vulnerable cryptographic assets, assessing business impact, and migrating to NIST-approved post-quantum cryptographic (PQC) algorithms such as CRYSTALS-Kyber and Dilithium.
In this session, we explore the technical and strategic foundations required for quantum resilience. Participants will gain insights into:
• Cryptographic asset discovery and classification across legacy and hybrid IT environments
• Risk assessment methodologies that prioritize high-value data and systems
• Crypto-agility strategies that enable flexible algorithm replacement without significant architectural redesign
• Implementation of hybrid cryptographic models that combine classical and PQC algorithms during transition
• Integration with regulatory frameworks and compliance standards (e.g., NIST SP 800-208, ISO/IEC 23837)
We also address key operational considerations such as key management, lifecycle automation, performance benchmarking, and vendor interoperability. This session is designed for security architects, IT leaders, and compliance professionals seeking to understand the technical steps necessary to protect digital infrastructure from quantum-enabled threats.
By adopting a phased and proactive approach, organizations can future-proof their cryptographic posture, ensure business continuity, and preserve digital trust in the face of quantum disruption.

Embarking on our first hardware hacking project, we came across the Furbo treat dispensing smart-camera for pets. Over the course of 3 months of research we identified nearly 40 vulnerabilities across the mobile application, the Bluetooth communications, and devices. This talk will showcase our journey to destroy pet-surveillance devices, our struggles with defeating the firmware encryption, more than a few vulnerabilities found along the way, and we will show you how we got it to play Darude Sandstorm!

“Welcome to the company! We are excited to have you join our team!
You are our first security hire! We do not have a formal Security or IT team.
So let us know if you need anything.”

Where do you begin?

It’s coming, and you aren’t ready. Your company’s virtual agent is sending inappropriate messages and handing out customer PII to anyone that asks nicely. And who are they going to call? You. This talk explores the investigation and response process for handling the unique threats to GenAI chatbots.

AI agents are revolutionizing cybersecurity - but are they friend or foe? These autonomous systems can detect threats faster than human analysts, but they're also being weaponized by attackers for sophisticated social engineering and automated exploitation. This talk examines both sides of the AI agent coin through real-world examples and live demonstrations.

You'll see how AI agents can enhance your security operations, automate incident response, and improve threat hunting. But we'll also explore how adversaries are using AI agents for targeted phishing, automated vulnerability exploitation, and bypassing traditional security controls. We'll cover practical implementation strategies for defensive AI agents and detection techniques for malicious ones.

No theoretical frameworks or vendor pitches - just actionable insights from implementing AI agents in enterprise security programs and defending against AI-powered attacks. You'll leave with practical knowledge to either deploy AI agents in your security operations or better defend against them.

Token Theft attacks have risen during the past few years as organisations have moved to stronger authentication methods. Entra ID has built-in protections to mitigate these attacks. This session will cover how to use these protections and technical details of how they work under the hood.

By now most people in the industry are familiar with Bills of Materials. However, a trivial idea of storing and sharing xBOMs often becomes a challenging and time-consuming process. In this talk we will introduce OWASP Transparency Exchange API (TEA) project which aims to standardize the process.

Malicious packages hiding in plain sight? Welcome to modern open source ecosystems. This talk explores how open source code—once limited to harmless PoCs and bug bounty tools—is increasingly being weaponized as real malware in the npm and PyPI ecosystems. We’ll walk through how these threats have evolved, dive into real examples, and show how you can analyze and understand them, even when they try to hide behind layers of obfuscation.

This talk explores various techniques, tactics, and psychological models used to infiltrate emerging threat actor groups. We will examine the process of target identification and discuss when it is appropriate to attempt infiltration. Additionally, we take a closer look at the concept of probing the enemy and the idea of weaponizing new relationship energy (NRE), which can be effective at destabilize individuals and placing them outside of their comfort zones. An important aspect of Persona Theory is not only what we write but also how we present it. Stylometric analysis can be particularly useful in this area. We will compare transliteration and translation (both human and machine) to understand how to pass as a native speaker.

Join Damien, Threat Researcher at Obsidian Security, as he spins a tale of how the infamous hacker collective known as Scattered Spider wove their way through SaaS to ensnare their prey—all in under 24 hours.

File upload vulnerabilities in cloud-native environments can have catastrophic consequences far beyond their perceived low severity. This session exposes a major flaw in Streamlit’s st.file_uploader widget, demonstrating a real-world exploit chain from bypassing client-side checks to gaining persistent access, manipulating cloud roles, and tampering with live data dashboards. Learn why trusting frontend logic is dangerous and how open-source misconfigurations become high-impact attack surfaces.

Supply chain attacks represent one of the most pervasive threats in modern cybersecurity, with the potential to compromise thousands of systems simultaneously. This talk presents a detailed technical analysis of a supply chain compromise campaign, which successfully compromised multiple NPM and PyPI packages within a 10-day period, affecting packages with over 30 million weekly downloads.

We’ll highlight how earlier variants targeted smaller, lesser-known assets before pivoting to high-visibility projects, and how technical similarities across samples linked this operation to previous malware families.

What do lost luggage, outdated maps, and the "I'M NOT TIRED" nap refusal have to do with cyber resiliency? Everything!

In this session, we’ll explore the most common — and costly — data protection worst practices through the lens of a family vacation gone horribly wrong. Attendees will leave equipped with clear, strategies to avoid their own data disaster stories.