Home > Store

Hack I.T. - Security Through Penetration Testing

Register your product to gain access to bonus material or receive a coupon.

Hack I.T. - Security Through Penetration Testing

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2002
  • Dimensions: 7-3/8" x 9-1/4"
  • Pages: 544
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-71956-8
  • ISBN-13: 978-0-201-71956-7

"This book covers not just the glamorous aspects such as the intrusion act itself, but all of the pitfalls, contracts, clauses, and other gotchas that can occur. The authors have taken their years of trial and error, as well as experience, and documented a previously unknown black art."
--From the Foreword by Simple Nomad, Senior Security Analyst, BindView RAZOR Team

Penetration testing--in which professional, "white hat" hackers attempt to break through an organization's security defenses--has become a key defense weapon in today's information systems security arsenal. Through penetration testing, I.T. and security professionals can take action to prevent true "black hat" hackers from compromising systems and exploiting proprietary information.

Hack I.T. introduces penetration testing and its vital role in an overall network security plan. You will learn about the roles and responsibilities of a penetration testing professional, the motivation and strategies of the underground hacking community, and potential system vulnerabilities, along with corresponding avenues of attack. Most importantly, the book provides a framework for performing penetration testing and offers step-by-step descriptions of each stage in the process. The latest information on the necessary hardware for performing penetration testing, as well as an extensive reference on the available security tools, is included.

Comprehensive in scope Hack I.T. provides in one convenient resource the background, strategies, techniques, and tools you need to test and protect your system--before the real hackers attack.

Specific topics covered in this book include:

  • Hacking myths
  • Potential drawbacks of penetration testing
  • Announced versus unannounced testing
  • Application-level holes and defenses
  • Penetration through the Internet, including zone transfer, sniffing, and port scanning
  • War dialing
  • Enumerating NT systems to expose security holes
  • Social engineering methods
  • Unix-specific vulnerabilities, such as RPC and buffer overflow attacks
  • The Windows NT Resource kit
  • Port scanners and discovery tools
  • Sniffers and password crackers
  • Web testing tools
  • Remote control tools
  • Firewalls and intrusion detection systems
  • Numerous DoS attacks and tools


0201719568B01042002

Downloads

CD Contents

Untitled Document Download the CD Contents from Hack I.T.— Security Through Penetration Testing

Sample Content

Online Sample Chapters

Security Through Penetration Testing: Internet Penetration

Security Through Penetration Testing: Wrap Up

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:
klevinskych05.pdf

klevinskych22.pdf

Table of Contents



Preface.


Introduction.


1. Hacking Today.


2. Defining the Hacker.

Hacker Skill Levels.

First-Tier Hackers.

Second-Tier Hackers.

Third-Tier Hackers.

Information Security Consultants.

Hacker Myths.

Information Security Myths.



3. Penetration for Hire.

Ramifications of Penetration Testing.

Requirements for a Freelance Consultant.

Skill Set.

Knowledge.

Tool Kit.

Hardware.

Record Keeping.

Ethics.

Announced vs. Unannounced Penetration Testing.

Definitions.

Pros and Cons of Both Types of Penetration Testing.

Documented Compromise.



4. Where the Exposures Lie.

Application Holes.

Berkeley Internet Name Domain (BIND) Implementations.

Common Gateway Interface (CGI).

Clear Text Services.

Default Accounts.

Domain Name Service (DNS).

File Permissions.

FTP and telnet.

ICMP.

IMAP and POP.

Modems

Lack of Monitoring and Intrusion Detection.

Network Architecture.

Network File System (NFS).

NT Ports 135n139.

NT Null Connection.

Poor Passwords and User IDs.

Remote Administration Services.

Remote Procedure Call (RPC).

sendmail.

Services Started by Default.

Simple Mail Transport Protocol (SMTP).

Simple Network Management Protocol (SNMP) Community Strings.

Viruses and Hidden Code.

Web Server Sample Files.

Web Server General Vulnerabilities.

Monitoring Vulnerabilities.



5. Internet Penetration.

Network Enumeration/Discovery.

Whois Query.

Zone Transfer.

Ping Sweeps.

Traceroute.

Vulnerability Analysis.

OS Identification.

Port Scanning.

Application Enumeration.

Internet Research.

Exploitation.

Case Study: Dual-Homed Hosts.



6. Dial-In Penetration.

War Dialing.

War Dialing Method.

Dialing

Login.

Login Screens.

Gathering Numbers.

Precautionary Methods.

War Dialing Tools.

ToneLoc.

THC-Scan.

TeleSweep.

PhoneSweep.

Case Study: War Dialing.



7. Internal Penetration Testing.

Scenarios.

Network Discovery.

NT Enumeration.

UNIX.

Searching for Exploits.

Sniffing.

Remotely Installing a Hacker Tool Kit.

Vulnerability Scanning.

Case Study: Snoop the User Desktop.



8. Social Engineering.

The Telephone.

Technical Support.

Disgruntled Customer.

Get Help Logging In.

Additional Methods.

Dumpster Diving.

Desktop Information.

Common Countermeasures.



9. UNIX Methods.

UNIX Services.

inetd Services.

r Services.

Remote Procedure Call Services.

Buffer Overflow Attacks.

File Permissions.

Applications.

Mail Servers.

Web Servers.

X Windows.

DNS Servers.

Misconfigurations.

UNIX Tools.

Datapipe.c.

QueSO.

Cheops.

nfsshell.

XSCAN.

Case Study: UNIX Penetration.



10. The Tool Kit.

Hardware.

Software.

Windows NT Workstation.

Linux.

VMware.



11. Automated Vulnerability Scanners.

Definition.

Testing Use.

Shortfalls.

Network-Based and Host-Based Scanners.

Tools.

Network-Based Scanners.

Network Associates CyberCop Scanner.

ISS Internet Scanner.

Nessus.

Symantec (Formerly Axent Technologies) NetRecon.

Bindview HackerShield (bv-control for Internet Security).

Host-Based Scanners.

Symantec (Formerly Axent Technologies) Enterprise Security Manager (ESM).

Pentasafe VigilEnt.

Conclusion.



12. Discovery Tools.

WS_Ping ProPack.

NetScanTools.

Sam Spade.

Rhino9 Pinger.

VisualRoute.

Nmap.

Whatis running.



13. Port Scanners.

Nmap.

7th Sphere Port Scanner.

Strobe.

SuperScan.



14. Sniffers.

Dsniff.

Linsniff.

Tcpdump.

BUTTSniffer.

SessionWall-3 (Now eTrust Intrusion Detection).

AntiSniff.



15. Password Crackers.

L0phtCrack.

pwdump2.

John the Ripper.

Cain.

ShowPass.



16. Windows NT Tools.

NET USE.

Null Connection.

NET VIEW.

NLTEST.

NBTSTAT.

epdump.

NETDOM.

Getmac.

Local Administrators.

Global (iDomain Adminsi).

Usrstat.

DumpSec.

user2Sid/sid2User.

NetBIOS Auditing Tool (NAT).

SMBGrind.

SRVCHECK.

SRVINFO.

AuditPol.

REGDMP.

Somarsoft DumpReg.

Remote.

Netcat.

SC.

AT.

FPipe.

Case Study: Weak Passwords.

Case Study: Internal Penetration to Windows.



17. Web-Testing Tools.

Whisker

SiteScan.

THC Happy Browser.

wwwhack.

Web Cracker.

Brutus.

Case Study: Compaq Management Agents Vulnerability.



18. Remote Control.

pcAnywhere.

Virtual Network Computing.

NetBus.

Back Orifice 2000.



19. Intrusion Detection Systems.

Definition.

IDS Evasion.

Stealth Port Scanning.

Aggressive Techniques.

Pitfalls.

Traits of Effective IDSs.

IDS Selection.

RealSecure

NetProwler.

Secure Intrusion Detection.

eTrust Intrusion Detection.

Network Flight Recorder.

Dragon.

Snort.



20. Firewalls.

Definition.

Monitoring.

Configuration.

Change Control.

Firewall Types.

Packet-Filtering Firewalls.

Stateful-Inspection Firewalls.

Proxy-Based Firewalls.

Network Address Translation.

Evasive Techniques.

Firewalls and Virtual Private Networks.

Case Study: Internet Information Server ExploitoMDAC.



21. Denial-of-Service Attacks.

Resource Exhaustion Attacks.

Papasmurf.

Trash2.

Igmpofdeath.c.

Fawx.

OBSD_fun.

Port Flooding.

Mutilate.

Pepsi5.

SYN Flooding.

Synful.

Synk4.

Naptha.

IP Fragmentation Attacks.

Jolt2.

Teardrop.

Syndrop.

Newtear.

Distributed Denial-of-Service Attacks.

Tribe Flood Network 2000.

Trin00.

Stacheldraht.

Usage.

Application-Based DoS Attacks.

Up Yours.

Wingatecrash.

WinNuke.

BitchSlap.

DOSNuke.

Shutup.

Web Server DoS Attacks.

Concatenated DoS Tools.

CyberCop.

ISS Internet Scanner.

Toast.

Spike.sh5.3.

Summary.



22. Wrapping It Up.

Countermeasures.

Keeping Current.

Web Sites.

Mailing Lists.



23. Future Trends.

Authentication.

Two- and Three-Factor Authentication.

Biometrics.

Token-Based Authentication.

Directory Services.

Encryption.

Public Key Infrastructure.

Distributed Systems.

Forensics.

Government Regulation.

Hacking Techniques.

Countermeasures.

Cyber-Crime Insurance.



Appendix A.


Appendix B. The Twenty Most Critical Internet Security Vulnerabilities—The Experts' Consensus.


Index. 0201719568T01172002

Preface

Why write a book about hacking? The question is really whether a book about the techniques and tools used to break into a network would be beneficial to the information security community. We, the authors, believe that penetration testing is a valuable and effective means of identifying security holes and weaknesses in a network and computing environment. Understanding how others will try to break into a network offers considerable insight into the common pitfalls and misconfigurations that make networks vulnerable. This insight is essential to creating a comprehensive network security structure.

Some may argue that providing this penetration-testing information gives script kiddies and hackers ammunition to better attack systems. However, script kiddies and hackers already have access to this information or have the time to find it--most of the material presented in this book is available from a variety of sources on the Internet. The problem is that the system and security administrators defending against attacks do not have the time or resources to research the sites necessary to compile this information. We decided to write this book to provide defenders with the information hackers already have. A hacker has to find only one hole to gain unauthorized access. The security group defending against the hackers needs to find all the holes to prevent unauthorized access.

There is no tried-and-true training that can make everyone a security expert, but there are some baseline principles, skills, and tools that must be mastered to become proficient in this field. Our goal is to provide you with those skills in a manner that helps you to understand the structure and tools used and to begin developing your own style of penetration testing.The process described in this book is not the only way to perform a penetration test. We continue to evolve our own methodology to respond to new technologies and threats. This process has worked well for us in the past and continues to be a successful way to evaluate and test network security.

Audience

This book is intended for the security administrators, systems administrators, technology auditors, and other authorized representatives of companies that want to legitimately test their security posture and intrusion detection or incident response capabilities. In addition, other individuals who need to assess systems and network security may find the tools and techniques described in this book useful. It is designed as a beginner's book for enhancing network security through penetration testing. No previous knowledge of penetration testing is required, but an understanding of networking, TCP/IP, Windows NT/2000, network security, and UNIX is needed to be able to execute a penetration test.

A word of caution: Although this book details the processes and tools for performing a penetration test, it does not describe how to do this without alerting network security devices. Many of these techniques will be detected and should not be performed without the written consent of the owners of the target systems. We intend for this book to be not a how-to hack manual but rather a framework for performing a systematic network security review. Intrusion detection mechanisms on most networks today have become very sophisticated and, if configured properly, can be used to track anyone practicing these techniques on a network.

How to Use This Book

The managers of an ever-growing number of companies are beginning to see information security as an issue requiring attention, showing how much of a threat they truly believe exists. In any case, whether you work as part of the security department of a large corporation or as a system administrator with security as part of your job description, knowing how to get into your network is one of the best ways to secure it.

The first part of this book (Chapters 1-4) explains the roles and responsibilities of a penetration-testing professional and the motivation and styles of the hacking community. This information provides insight into why hacking has become so popular with the media and what difficulties are associated with protecting a network. The material is designed to provide background information to support the use of penetration testing as an important part of an overall network security plan. A penetration test not only tests the network's ability to protect information and other assets from unauthorized individuals but also can test the organization's ability to detect such intrusion attempts and its incident response capabilities. We also discuss some of the common pitfalls in technology and defenses that contribute to security weaknesses. A large portion of successful network security breeches could have been avoided if special attention had been given to these issues.

The second part of this book (Chapters 5-10) provides a structured framework for a penetration test. Penetration testing can be broken down into a series of steps that provide an efficient and comprehensive review of individual network segments. Whether the test is an internal or external review, the methodology follows the steps of discovery, scanning, and exploitation. This section outlines methods for finding the target network, identifying possible vulnerable services, exploiting weaknesses, and documenting the results. This methodology yields a test that is structured, efficient, and repeatable. In this section of the book we also introduce various tools that can be used to assist with this methodology. We briefly describe each tool's use and place in testing.

The third section of this book (Chapters 11-16) provides greater detail on the tools that can increase the speed and accuracy of a penetration test. This "tools and techniques" section is presented in a reference format so you can locate a tool by its role in testing and obtain the information necessary to begin using the tool or find the information necessary to do so. A large collection of tools have been released by commercial and open-source programmers that identify vulnerabilities in networks, applications, and/or services and should be used as part of an assessment. While most of them may be identified by an intrusion detection system, they can usually find exposures on your network faster than manual methods. We provide detailed explanations of each tool, including its basic usage and where to get updates. You will find that some programs are described in greater depth than others. We spend more time on the tools that we find more helpful or that reveal the most information. For ease of use, we obtained demo or freeware software for many of the tools covered and included them on the CD-ROM available with this book. This software is intended to give you the opportunity to become familiar with some of the more popular tools and to see which work best for you. This section is designed to help you pick out the right hardware, operating systems, and software to make a testing tool kit.

The last section of this book (Chapters 17-23) moves toward advanced techniques and application testing. You should review this section once you have created and are comfortable with your own tool kit. This section details methods that can be used to evade intrusion detection systems and firewalls, control hosts on target networks remotely, and test Web servers. It also includes a discussion on denial-of-service attacks and a section on how to keep up with the current trends and latest developments in information security. This section contains a list of Web sites and e-mail lists that we used in our research, as well as information on long-term countermeasures to improve security. Finally, we include a brief discussion about future trends within the information technology arena and the possible risks that these trends may produce.

At the end of some chapters are case studies that deal with some of the issues and tools discussed. The case studies detail steps we have followed in real-world penetration-testing engagements to help illustrate how all the pieces of penetration testing fit together. The samples we selected include internal, external, and dial-up testing and reflect different operating systems, vulnerabilities, and exploits in an attempt to demonstrate as many of the techniques discussed in the book as possible. In each case we keep anonymous the name, industry type, and any other information that could be used to identify the parties involved.

--T.J. Klevinsky
--Scott Laliberte
--Ajay Gupta



0201719568P01172002

Foreword

Click below for Forward related to this title:
klevinskyforeword.pdf

Index

Note: Page numbers followed by f indicate figures.

A

Accounts. See specific types

Active security, automated vulnerability scanning in, 169

Active X code, hidden, 47

Administrator accounts
     determining, with user2Sid and sid2User, 286–287
     password vulnerabilities of, 42

Administrator privileges, in default accounts, 34

Alerts, in firewall monitoring, 371

Announced testing
     definition of, 25
     vs. unannounced testing, 26–27

Anonymity, on the Internet, 16–17

Anonymous mail relay, vulnerabilities of, 140–142

AntiSniff, sniffer detection with, 251–254, 253f

Application(s)
     default installations of, vulnerability of, 454–456
     discovery of, in vulnerability analysis, 63, 64f
     holes in, vulnerabilities of, 32
     in internal penetration testing, 104–105
     in UNIX environments, 140–145

Application-based DoS attacks, 405–406
     tools for, 406–412

ARP packets, in resource exhaustion DoS attacks, 389–390

arpredirect, in dsniff, 245

AS400 systems, accessing, with SessionWall-3, 250

AT, in NT testing, 301–302

Attacks
     brute force (See Brute force attacks)
     internal, 3–4
     probability of, 14

Attrition.org, defaced Web site archive of, 6–7, 7t

AuditPol, in NT testing, 292–293

Authentication mechanisms, 433–437
     in tracing computer connections, 17

Authentication services testing
     case study for, 325–328, 327f
     with Web Cracker, 322–323, 322f, 323f
     with wwwhack, 320–321, 321f

Automated hacker tools, script kiddy use of, 12

Automated monitoring, 49–50

Automated vulnerability scanning. See Vulnerability scanning, automated

B

Back doors, installing with Netcat, 298–300

Back Orifice 2000, remote control with, 344–346

Backups, vulnerabilities associated with, 459–461

Banner grabbing
     in application discovery, 63
     definition of, 63
     in dial-in penetration, 88
     in internal penetration, 96
     with NetScanTools, 204–206, 205f

Baseline standards, importance in security architecture, 421

Berkeley Internet Name Domain (BIND) implementations, vulnerabilities of, 32, 485–487

Bindview HackerShield, 180

Biometrics, in secure authentication, 42–43, 434–436

BitchSlap, for application-based DoS attacks, 409

Brute force attacks
     authentication services targeted by, 320–323, 321f–323f
     default accounts targeted by, 34
     FTP targeted by, 35
     lack of monitoring and intrusion detection in, 38
     modems targeted by, 37
     for password cracking, 287–290
     TELNET targeted by, 35
     with Web Cracker, 322–323, 322f, 323f
     with wwwhack, 320–321, 321f

Brutus, in web site testing, 323–325, 324f

Buffer overflow attacks
     for DoS attacks, 410–412
     against IDSs, 355
     in internal penetration testing, 103
     on ISAPI extensions, 471–473
     on remote procedure calls, 482–484
     in UNIX environments, 133, 136–137
     on UNIX Web servers, 143

Bugtraq, vulnerabilities published by, 29, 426

BUTTSniffer, 248–249

bv-control for Internet Security, 180

C

Cain, password cracking with, 266–267, 267f

Caller ID software, in tracing computer connections, 17

CD Universe, credit card hack against, 6

CERT (Computer Emergency Response Team), Internet address for, 5, 426

CGI (Common Gateway Interface)
     scanning for vulnerabilities in, Whisker for, 316–318, 317f
     vulnerabilities of, 33

CGI programs, security issues in, 33, 467–468

Cheops, 148–151, 149f–151f

Cleaning staff scenario, in internal penetration testing, 93

Clear text services, 33
     sniffing, 105–106

Client companies, confidentiality of information from, 24

Common Gateway Interface. See CGI

Common Vulnerabilities and Exposures (CVE) numbers, 452–453

Community strings (SNMP), vulnerabilities of, 45–46, 492–495

Computer(s), unattended, vulnerabilities of, 122

Computer connections, traceability of, 16–17

Computer crimes, media coverage of, 5–6

Computer Emergency Response Team (CERT), Internet address for, 5, 426

Computer forensics, growth of, 439–440

Computer Intrusion Squad, FBI, security survey by, 2–4

Computer Security Institute (CSI), security survey by, 2–4

Computer viruses. See Virus(es)

Concatenated DoS tools, 412–416

Confidential information
     of client companies, 24
     dumpster diving for, 120–121

Configuration errors
     risks from, 30
     in UNIX environments, 145–146

Configuration files, for UNIX, 128–130, 129t

Configuration management, host-based vulnerability scanners in, 169

Consultant scenario, in internal penetration testing, 92–93

Core dump files, vulnerabilities of, 132

Corporate networks, virus susceptibility of, 6

Countermeasures, 419–423
     for DDoS attacks, 400, 403
     for dumpster diving, 123
     for null connections, 273
     packaging of tools for, 442
     for social engineering, 123–124
     for web server DoS attacks, 411–412

Cracker, definition of, 9

Crawl website tool, in Sam Spade, 219–221, 220f

Credit card numbers, publication of, 6

CSI (Computer Security Institute), security survey by, 2–4

Customer service, social engineering attack on, 116–118

CVE (Common Vulnerabilities and Exposures) numbers, 452–453

CyberCop
     configuration of, 171–175, 172f–174f
     for DoS testing, 412–413, 413f
     scanning with, 50, 167–168, 175

Cyber-crime insurance, 442–443

D

Data classification, importance in security architecture, 421

Datapipe.c, 147

Decoy addresses
  &n

Updates

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020