Author: David Senecal
ISBN No: 978-1-394-26243-4
Review date: 12/12/2025
No of pages: 256
Publisher: Wiley
Publisher URL:
https://www.wiley.com/en-gb/The+Reign+of+Botnets%3A+Defending+Against+Abuses%2C+Bots+and+Fraud+on+the+Internet-p-9781394262434
Year of publication: 01/05/2024
Brief:
price
£23.99 (ebook)
The California-based author works for the cloud computing and app security product company Akamai Technologies, on bot detection. He opens with a ‘short history’ of the Internet, which may be sobering to those who lived through it (so far) and informative to young readers to whom life before the Internet is indeed history. The Internet, Senecal points out, ‘has changed everything: it has altered the way we shop, bank, interact with our healthcare providers, interact with each other, book our vacations, explore the world, and even work’.
Some definitions: bot is short for robot, ‘which generally designates software running on a computer designed to perform a specific task. In the web context, this task mainly consists of collecting the data available on the Web’. A botnet is a network of bots that run the same software designed to accomplish a specific task. Not all botnets are bad; some legitimately trawl the Internet, to index it. Fraudsters may use botnets to, for example, create fake accounts on a website, ‘later used as part of a broader fraud scheme’; or, in online retail, to guess gift card numbers; or for posting spam content on forums, product review boards, or social media to advertise products. Much, or even most, bot traffic on the Internet may be from bots, not real humans. That explains why when browsing you may have to go through a CAPTCHA challenge (short for Completely Automated Public Turing Test to Tell Computers and Humans Apart). We only have ourselves to blame; if ‘account takeover’ is a problem, that’s because we stick with ‘user-name and password’ as the primary method to identify and authenticate users on the Internet; ‘the total number of accounts breached is more than 4.1 billion’.
As further proof of quite how many accounts have been compromised, the author recommends you run your own email and other accounts through the Have I Been Pwned website. The author admits that two of his email addresses had been part of multiple breaches. He now uses a password manager. By chapter three, the author is printing chunks of code to explain how botnets have become more sophisticated. By a third of the way into the book, you will have to understand such technical terms as ‘headless browser’, and the phenomenon of how in countries like Venezuela and Indonesia people work as ‘CAPTCHA farm workers’, solving CAPTCHA challenges on behalf of …. whoever; fraudsters?
As for detecting botnets, at the centre of the book, you either have a ‘positive security’ focus, seeking to identify what is legitimate; or ‘negative security’, a focus on identifying what is bad. As the attacks evolve so rapidly, either way can be a constant struggle: “IoT devices make it much more difficult for web security vendors to learn what is legitimate online due to the sheer variety of hardware, software, and configuration.” Again, we, humanity, are our own worst enemy; Internet users ‘want to avoid having to prove they are human before they can interact with a website’.
The author admits that detecting bots is ‘not a perfect science’; rather, you try ‘to keep the malicious traffic at bay while providing legitimate users with the best experience possible’. To spell it out; to manage bots and prevent online fraud, you have to face that it’s a problem for the long run: “This means continuously developing new detections to keep up with the evolution of threats.” The author advocates ‘defence in depth’, using several layers of detection, meaning that only a small percentage of all the bots pass through entirely to your web server.
Do you need to understand this subject? As the author says, most corporates will partner with a web security vendor and outsource the bot management. If you work for a retailer, or gaming company, you may have to have more than a nodding understanding of the online threats, while not following every detail. Something else non-technical to keep in mind is that businesses collecting ‘massive amounts of data about their users to understand what system they run, where they are, and what they like’, are carrying out ‘a significant intrusion’ into our privacy, and hence come under data protection regulation. Those at work on web security, and web privacy, ought to work together more, the author argues at the end; given that only the elite know how to stay private when using the web, while the rest of us ‘must choose between privacy and the quality of their online experience’.
