Home > Articles

This chapter is from the book

This chapter is from the book

Tools of the Trade

The "tools of the trade" are the means a cracker or hacker might use to penetrate your network. Some of the tools covered are programs, and some of these tools are techniques.


When most people hear the word reconnaissance, they think of spies and the espionage world. Although that community does indeed use reconnaissance, so does the cracker community. What is reconnaissance, and why do crackers use it? Reconnaissance is the process of gathering information about specific target(s). When a good burglar decides to rob a house, he will scope out an area to see how often neighbors, cops, and other traffic passes through. This gives the robber a good idea of the best time of day to attack. The same basic philosophy holds true for a cracker when she wants to attack a network or Web site.

When a cracker decides she wants to attack a network, there are many "recon" tools at her disposal. Let's look at a few of them and see how they work.

Social Engineering

The first and probably the most underrated tool available is social engineering. Social engineering involves tricking, conning, or manipulating people into providing information detrimental to a company, organization, or a person. This type of information can be used to help plan, organize, or execute an attack.


Ira Winkler's excellent book Corporate Espionage (Prima Communications) covers social engineering, along with many other tactics used in obtaining information. It also discusses how to protect yourself against these types of attacks. For more on Ira, you can go to http://www.annonline.com/interviews/970512/. Another good book on social engineering is The Art of Deception (John Wiley & Sons) by the famous cracker Kevin Mitnick.

How does social engineering work? A good example is through a help desk. Cracker A wants to attack ABC123 Inc., a computer software company, and therefore wants to find out usernames, passwords, and maybe even some security measures ABC123 has in place. He begins by calling ABC123's main number, explains to the secretary that he is new to the company, works offsite, and needs the help desk number in order to set up his account and password. The secretary provides him with the number. Cracker A then calls up the help desk number, explaining the situation to the person on the phone and asks for a username, a password, and how he can get access to the network from the outside. Help Desk Worker B happily provides this information within seconds, not once questioning his request. (Why not? Most help desk operations I have seen stress customer service—"Remember: Never anger a customer.")

This simple scenario can provide the attacker with enough information to make an attack much easier to pull off without being detected. Other techniques that are related to social engineering are

  • Dumpster diving—A person goes through a dumpster or trash can looking for trash that contains information, such as an IP address, old passwords, and quite possibly a map of the network. Although this technique is often a dirty one, it is very effective.

  • Impersonations—A cracker pretends to be someone important and uses that authority to obtain the information she is looking for.

These social engineering techniques are effective, and there are many more that are beyond the scope of this book. Keep in mind that people still use these techniques, and they are a threat to both you and your company's security.

Port Scanners and Passive Operating System Identification

This section provides a technical overview of port scanners and sniffers, along with details regarding the art of passive operating system identification.

Port scanners are programs that check a computer's TCP/IP stack for ports that are in the LISTEN state. TCP/IP combines many protocols, enabling communication on the Internet. The TCP/IP protocol suite consists of 65,535 ports. Ports 1–1023 are considered "well-known" and on many computer systems—only users with root/admin privileges can use start processes that listen on these ports. Ports 1024–49151 are called registered ports, and ports 49152–65535 are considered dynamic and/or private ports.


Find the port numbers list online at http://www.iana.org/assignments/port-numbers.

The Transmission Control Protocol is covered by RFC 793, which defines many standards that socket programmers need to follow. It also defines how TCP will react to certain packets (FIN, ACK, and SYN):

If the state is CLOSED (that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.
If the state is LISTEN then first check for an RST. An incoming RST should be ignored. Second, check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third, check for a SYN; if the SYN bit is set, check the security. If the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.

What this tells us is how listening and closed ports respond to certain TCP flags. Knowing this, programmers can write programs that go out and identify open and closed ports. These programs are considered port scanners.

Let's look at some "famous" port scanners and see what they can and cannot do.


To find out more information on TCP/IP, see the RFCs online at http://www.ietf.org/rfc/rfc0793.txt?number=793 and http://www.ietf.org/rfc/rfc0791.txt?number=791.


For some great information on TCP/IP fingerprinting, see http://www.insecure.org/nmap/nmap-fingerprinting-article.html.


Nmap is probably the most popular port scanner being used and actively developed today. The brainchild of Fyodor (http://www.insecure.org), Nmap has grown through the active participation of the open source community. Nmap gives the user many options in scanning. Listing 3.1 shows the results of nmap -h. This is a great starting point for Nmap. For more details on Nmap, see the man page at http://www.insecure.org/nmap/data/nmap_manpage.html.

Listing 3.1 Nmap -h Results

Nmap V. 3.10ALPHA3 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
 -sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
 -sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
 -sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
 -p <range> ports to scan. Example range: '1-1024,1080,6666,31337'
 -F Only scans ports listed in nmap-services
 -v Verbose. Its use is recommended. Use twice for greater effect.
 -P0 Don't ping hosts (needed to scan http://www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
 -6 scans via IPv6 rather than IPv4
 -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
 -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
 -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
 -iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
 —interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O http://www.my.com '192.88-90.*.*'

Listing 3.1 illustrates how easy Nmap is to configure, and what options are available for scanning. Let's take a look at a few switches, discuss what they do, and how they can be used in reconnaissance.

The -sT switch is probably the loudest switch we will cover (not as stealthy as others). This switch tells Nmap to make a complete connection with the targeted computer. This type of scan is easy to detect, and probably won't be used if an attacker is serious about performing reconnaissance on a computer system.


In early 2001, a group of SANS analysts put together a book about intrusion detection signatures called Intrusion Signatures and Analysis (New Riders). It's a great reference for anyone who wants to dig deeper into intrusion detection and attack signatures.

The -sF switch sends FIN packets to the targeted computer. How does this work? When a computer receives a FIN, it has a few reaction options:

  • If the port is in the LISTEN state, the computer will not reply.

  • If the port is in the CLOSED state, the computer will respond with a RESET.

  • If there has been a connection, the computer will begin breaking the connection. (We won't worry about this option right now.)

The computer's response tells Nmap what ports are open when using the -sF switch. Listing 3.2 shows the results of an -sF scan from a user standpoint.

Listing 3.2 Nmap -sF User Results

Starting nmap V. 3.10ALPHA3 ( http://www.insecure.org/nmap/ )
Interesting ports on (
(The 4000 ports scanned but not shown here are in state: closed)
Port  State  Service
47017/tcp  open  unknown
TCP Sequence Prediction: Class=random positive increments
Difficulty=3980866 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.16
Nmap run completed — 1 IP address (1 host up) scanned in 5 seconds

This scan ran against a Linux machine that had the t0rn rootkit (port 47017 is a dead giveaway) running, and these are the results:

20:00:48.813047 > >
_192. F 0:0(0) win 1024 (ttl 48, id 31728)
       4500 0028 7bf0 0000 3006 8b89 c0a8 0105
       c0a8 0101 b899 01d9 0000 0000 0000 0000
       5001 0400 6e1a 0000
20:00:48.813153 > >
_192. F 0:0(0) win 1024 (ttl 48, id 56669)
       4500 0028 dd5d 0000 3006 2a1c c0a8 0105
       c0a8 0101 b899 0297 0000 0000 0000 0000
       5001 0400 6d5c 0000
20:00:48.813188 > >
_192. F 0:0(0) win 1024 (ttl 48, id 23854)
       4500 0028 5d2e 0000 3006 aa4b c0a8 0105
       c0a8 0101 b899 05b2 0000 0000 0000 0000
       5001 0400 6a41 0000

If a person was running a sniffer, he would see this code. What you don't see here are the resets being sent back by the ports being scanned. This technique is used by many crackers to perform reconnaissance against a target. This scan is much harder to detect than the -sT switch.

The -sS switch uses SYN packets to determine whether a port or group of ports is open. This scan is commonly referred to as the half-open scan. Why? Well, Nmap sends a SYN packet to a port. If the port is open, it will respond with a SYN|ACK. If Nmap receives the SYN|ACK, it will respond with a RESET. Therefore, if you send half-open packets, your chance of being detected decreases (in theory). Many crackers use this scanning technique to check for open ports, because sometimes this activity is logged. In today's world, though, many firewalls and IDSs do log these attempts.

The final switch is -sX, Nmap's "X-mas tree" packet, in which Nmap sets the FIN, URG, and PUSH flags, as well as others. Under normal conditions, this is not a normal flag combination. Normally, a person would see FIN, URG, and ACK, but not a FIN, URG, and PUSH combination. The reason for this flag combination is simple: Crackers can bypass some firewalls and intrusion detection systems with it.

How does this relate to reconnaissance? Nmap is a great tool for performing reconnaissance. With all the switches and options available, it is difficult for a firewall administrator or IDS analyst to positively identify all the possible scans available with Nmap.


Dying for more information on Nmap? Direct your browser to http://www.insecure.org.


Another great port scanner used today for reconnaissance is hping2. This is probably one of my favorite tools to have because it is very configurable. Table 3.1 lists many of the options available with hping2.


Information on hping2 can be found at http://www.kyuzz.org/antirez/hping2.html.

Table 3.1 hping2 Options


hping2 Host




Show this help



Show version



Packet count



Wait (uX for X microseconds, for example, -i u1000)



Numeric output






Interface name (otherwise, default routing interface)



Verbose mode



Debugging info



Bind Ctrl+Z to ttl (default to dst port)



Unbind Ctrl+Z



default mode




RAW IP mode



ICMP mode



UDP mode



Listen mode




Spoof source address



ttl (default 64)



id (default random)



Use win* id byte ordering



Relativize id field (to estimate host traffic)



Split packets in more fragments (can pass weak ACL)



Set more fragments flag



Set don't fragment flag



Set the fragment offset



Set virtual mtu; implies --frag if packet size > mtu



Type of service (default 0x00); try --tos help



Include RECORD_ROUTE option and display the route buffer



Set the IP protocol field, only in RAW IP mode




ICMP type (default echo request), try --icmptype help



ICMP code (default 0)



Display help for other ICMP options




Base source port (default random)



-[+][+]<port> destination port (default 0) Ctrl+Z increase/decrease



Keep still source port



Set window size (default 64)



Set fake TCP data offset (instead of tcphdrlen/4)



Show only TCP sequence number



Send packets with a bad IP checksum



Set TCP sequence number



Set TCP ack



Set FIN flag



Set SYN flag



Set RST flag



Set PUSH flag




Set ACK flag



Set URG flag



Set X unused flag (0x40)



Set Y unused flag (0x80)



Set last tcp->th_flags as exit code




Data size (default is 0)



Data from file



Add "signature"



Dump packets in hex



Dump printable characters



Enable "safe" protocol



Tell you when --file reaches EOF and prevent rewind



(Implies --bind) traceroute mode

You can see from the help file how configurable hping2 really is. A cracker can modify almost any byte in the TCP/IP header. This enables a cracker to really become creative with her scanning techniques in performing reconnaissance. This tool also enables the cracker to insert crafted data into the packet. This means that the cracker could insert malicious code of any kind—buffer overflows, Trojans, and so on—into a packet and use it to penetrate networks. If you don't have hping2, I recommend downloading it and giving it a test drive. The next version, hping3, will be scriptable and provide better output capabilities.

There are many more great port scanners out there than what we have covered here. Port scanners provide the cracker with a tool that "knocks" on the door of computer networks. This also gives the cracker an idea of what operating system and services the targeted network is running. With this type of information, the cracker can then proceed to her favorite exploit toolkit and proceed to penetrate the targeted network. These tools can and should be used by the computer professional to evaluate systems. By using these tools, a systems administrator can identify vulnerabilities before an attacker does.

Passive Operating System Identification Fingerprinting

Passive OS fingerprinting is a technique that is gaining popularity in both the cracker world as well as in the security world. Passive OS fingerprinting enables a person to identify an operating system by analyzing its TCP/IP stack. This technique is as stealthy as it gets, because all you need is a packet sniffer and some time. An attacker using a sniffer does not have to worry about sending strange packets to determine what OS he is up against.

Almost all operating systems have default settings, including settings for TCP/IP. An example of this is Linux. If you look at /proc/sys/net/ipv4 in Listing 3.3, you'll find a wide range of settings that contain default information that the system uses in its daily tasks. Listing 3.3 shows the TCP/IP parameters in Linux.

Listing 3.3 /proc/sys/net/ipv4


Let's look at a few of these parameters and determine what they do and how they affect the operating system.

  • ip_default-ttl—This parameter sets the default time-to-live value to 64. It can be changed on a Linux box by using echo 128 >> ip_default_ttl.

  • ip_forward—Although this parameter does not directly affect passive OS fingerprinting, it does have a big effect on OS security. By default, ip_forward is set to 0, which disables IP forwarding. Setting it to 1 enables IP forwarding and also permits the computer to forward packets from one interface to another, which can be a security issue.

  • ip_local_port_range—This parameter identifies the default source port range that Linux will use. Normally, this is set to 1024-4999. This is good information to know if you are attempting to determine whether a packet is good or bad.

  • tcp_sack—This parameter lets the operating system know whether it supports the Selective Acknowledgment standard (RFC 2883). By default (Linux), this is set to 1 (supporting this standard).

  • tcp_timestamps—This parameter lets the operating system know whether it supports the timestamp function. By default (Linux), this is set to 1.

  • tcp_window_scaling—This parameter lets the operating system know whether it supports the window scaling function. This option is used to decrease congestion. By default (Linux), this is set to 1.

Listing 3.3 shows only the parameters that are related to passive OS fingerprinting. Although we have only covered Linux default settings so far, every OS has its own set of default settings. A good example is the Windows platform: Windows 98, NT, and 2000 all use a default TTL of 128.


There is, however, a whole world using ICMP. To check this out, go to http://www.sys-security.com. There is an ICMP-based OS fingerprinting program on this site as well.

Let's look at a few other operating systems and their default TCP/IP settings:

  • Microsoft (98, NT)

    Packet size (just headers) = 44 bytes (default)

    SYN or SYN|ACK packets = Sets the Don't Fragment (DF) flag and the Maximum Segment Size (mss) flag

    TTL = 128

  • Microsoft (2000)

    Packet size (just headers) = 48 bytes (default)

    SYN or SYN|ACK packets = Sets the Don't Fragment (DF) flag, Maximum Segment Size (mss) flag, two nops, and the Selective Acknowledgment flag.

    TTL = 128

  • Linux (Red Hat 6.2)

    Packet size (just headers) = 60 bytes (default)

    SYN or SYN|ACK packets = Sets the Don't Fragment (DF) flag, Maximum Segment Size (mss) flag, nops, Selective Acknowledgment flag, Timestamp, Window Scaling (wscale). These hold true for the initial SYN. SYN|ACK Linux responds according to the computer that made the initial SYN.

    TTL = 64 (On a RESET packet, the TTL is 255)

Knowing this, you can identify operating systems by looking at network traffic. One thing to keep in mind is that if a sysadmin or cracker changes any of the parameters, it will throw off your analysis. Therefore, passive OS fingerprinting is not 100% accurate—but then again, nothing is. Listing 5.4 shows two packets that will help you identify an OS using passive fingerprinting.

Listing 3.4 Identifying Operating Systems

15:59:52.533502 > my_isp.net.1100 >
_S 325233392:325233392(0) win 32120
_<mss 1460,sackOK,timestamp 88950 0,nop,wscale 0> (DF) (ttl 64, id 505)
       4500 003c 01f9 4000 4006 0522 xxxx xxxx
       860b ebe8 044c 0050 1362 aaf0 0000 0000
       a002 7d78 7887 0000 0204 05b4 0402 080a
       0001 5b76 0000 0000 0103 0300

16:00:14.188756 >my_isp.net.1105 >
_134.11.235.232.www: R 346737591:346737591(0) win 0 (ttl 255, id 544)
       4500 0028 0220 0000 ff06 860e xxxx xxxx
       860b ebe8 0451 0050 14aa cbb7 0000 0000
       5004 0000 973c 0000

In Listing 3.4, you see two packets. The first is a SYN packet, and the second is a RST packet. Looking at the SYN packet, notice some important indicators:

  • The SYN has a TTL of 64.

  • The SYN sets its mss, sackOK, nop, and wscale parameters and the DF flag. Also, pay close attention to the header size (3c = 60 bytes).

  • Look at the source port as well. Port 1100 falls within the default source port range of 1024–4999.

These indicators point to...Linux. That's right, the OS we were looking at in Listing 3.4 is coming from a Linux machine. Let's take a brief look at the RST packet. First, look at the TTL (255). When Red Hat Linux sends an RST, it will use a default TTL of 255; whereas when it is trying to establish a connection, it uses a TTL of 64. Another characteristic of Linux RST packets is their size. Normally, a Red Hat packet is 60 bytes in length. When setting the RST flag, RH Linux has a packet length of only 40 bytes.

How do OS fingerprinting and Linux tie back into reconnaissance? If a cracker uses any of the previously mentioned techniques, he can obtain very valuable information about a computer network. That type of information includes network mapping, IP addresses, patch levels, and the discovery of different operating systems.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020