Adrian Janotta had virtually everything – girlfriend, career, friends, numerous hobbies and enviably few worries, but things unravelled after his girlfriend cheated on him. He began to drink, started having problems at work and lost his job. He lost touch with his friends and became increasingly absorbed in his new hobby, hacking, which he did at home, alone. Short of money and longing for recognition, his hacking activities led him into targeting online shops.
He got away with it until traffic police stopped him during a routine control and one of the officers thought that the boot full of laptops was suspicious. “My crime was detected through a random traffic control, not careless hacking. I was sentenced to several years. Imprisoned in Munich far away from my family and the few friends I had left. My time inside was an important, instructive experience.”
"The business plan was drawn up just two cells away from Uli Hoeneß."
He turned his life around. “Whilst in prison (on the same floor as football legend Uli Hoeneß, jailed for tax evasion) I studied business management and used my time to develop a business plan. Upon my release I registered my business.” Today, his clientele, including Telekom, Deutsche Bank, several SMEs, engineering firms and research institutes, engages him to protect their systems against cyber attacks. He claims most companies are naive about cyber security, not simply clients in these sectors, but even providers of software security. “They make promises they cannot keep. Imagine you buy a firewall to protect your network, then a week or two later find you’ve been hacked because the company providing your security can’t deliver what you’d expected. Unfortunately, this happens all the time. I’m sure many readers have experienced this themselves or heard of such cases. The same applies to anti-virus software. Despite virus guards, computers are full of spy software”, says Janotta.
He also worries that artificial intelligence can serve as a weapon. According to Janotta “today’s average hacker won’t be using AI yet, but the military uses AI for attacks on electricity grids, factories, control systems and drinking water supplies. This type of digital weapon is ideal for cyber attacks and more potent than an army”.
AI attacks are efficient because they not only attack vulnerabilities but also identify thousands of entry points into the virtual world. But Janotta assures us: “Depending on the software, an attack could take a few minutes, hours or days, but there is no immediate general threat as this kind of software is not yet available to the public.” How could an attack work? Janotta explains: “The system simulates digital attacks, learns from failed or successful attacks and thus develops strategies to deal with specific attacks on a network or an individual computer. Machines learn in different ways and it’s a bit different with AI attack systems.” To detect security gaps the attack algorithms employ both pattern recognition and traditional search methods such as fuzzing. Fuzzing software generates random data and transfers it to the system targeted for scrutiny. This is carried out at the same time as monitoring software tracks and records how the targeted system responds to randomly generated data. The system searches for the best method of attack – the typical metasploit hacking framework. “It learns to identify security risks and can decide which tool is best suited to combat attacks on identified vulnerabilities.” However, as he points out: “Highly complex attack software requires a super computer with quadrillions of operations per second.”
“Thus, an AI attack on a factory would be disproportionate, but might conceivably target a country’s entire infrastructure – all plant, machinery and robots in a factory – repeated a thousand times over.” Impossible? “Not at all: a hacker could compromise every device and machine in the network. Standard passwords or company passwords make it easier for malicious hackers.”
Of course, AI has a defensive function too. “We use AI to run penetration tests.” Janotta has found that penetration tests, which simulate attacks on IT systems, can be inefficient as they execute all digital signatures. According to Janotta more human pentesters are needed, although the success rates are inconsistent.
His solution: AI. Janotta has developed deep-learning algorithms for penetration tests: self-learning algorithms that perform unsupervised learning tasks themselves. This is better than manual penetration testing, as unlabelled data is more common than labelled data. Examples of deep structures which can be subjected to unsupervised security tests include software, networks or server infrastructures. With every fully automated scan carried out, the algorithm learns to add the expected vulnerabilities automatically and tests the system for security gaps.
Yet clients remain sceptical. “They trust humans more than AI”, says Janotta, who is confident about the future of data security. “However, for the time being, the idea of software that can protect itself remains a vision of the future. Imagine a Windows operating system that constantly attacks itself in order to identify security gaps and then close them.”
What is his advice until this happens? “One in two users still relies on an anti-virus program or the limited protection afforded by data legislation. Deploying hackers to search for vulnerabilities and security gaps in the system is a much better solution, whether at a technical or even social level, because social engineering continues to be a simple and dangerous entry gate. A CEO once said to me: “We turn to you for help because in our view a hacker is the only person who can stop another hacker.”