Home > Store

White-Hat Security Arsenal: Tackling the Threats

Register your product to gain access to bonus material or receive a coupon.

White-Hat Security Arsenal: Tackling the Threats


  • Sorry, this book is no longer in print.
Not for Sale




  • Copyright 2001
  • Dimensions: 7-3/8" x 9-1/4"
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-71114-1
  • ISBN-13: 978-0-201-71114-1

"Avi Rubin does a great job of explaining the motivations behind many security solutions, as well as providing practical information about how you can solve real-world problems. White-Hat Security Arsenal is an invaluable resource--a judicious mix of practical information and the theory behind it."

--Marcus J. Ranum, CTO, NFR Security, Inc.

"White-Hat Security Arsenal ups the ante for the good guys in the arms race against computer-based crime. Like a barrage of cruise missiles, Avi's excellent book attains air superiority by leveraging smarts and advanced GPS technology to zero in on critical targets. Intended to educate and inform information security professionals with a no-nonsense, hold-the-hype approach to security, this book is a critical weapon for modern information warriors. If you wear a white hat and are on the good guys' team, buy this book. Don't go into battle without it!"

--Gary McGraw, Ph.D., CTO, Cigital

How do I allow secure remote access to my site? How do I protect data on my laptop in case it's stolen? How should I configure my firewall? Will I regret using my credit card online? How will the bad guys attack? If these are some of the questions that keep you awake at night, you need to read this book.

As a computer security expert at AT&T Labs, author Avi Rubin regularly meets with IT staffs from all types of companies. When asked to recommend resource material to his customers, Rubin realized that there just wasn't a book on the market that would give them concise, direct answers to all their security questions. So he wrote one.

Using a problem-oriented approach, Rubin walks you through everything from protecting against network threats to using credit cards on the Web. Each chapter begins with a problem statement, continues with a description of the threat, explains the technologies involved, and then offers solutions. Chapters conclude with one or more case studies.

You'll find easy-to-understand information that will help you
  • Identify the risks
  • Put attacks in perspective
  • Store information securely
  • Perform reliable and secure backups
  • Transfer information securely across hostile networks
  • Understand Public Key Infrastructure (PKI) and its limitations
  • Protect against network threats
  • Set up firewalls
  • Deal with denial of service attacks
  • Understand online commerce and privacy

Whether you are an IT professional, a system administrator, an academic, or simply a regular Internet user, White-Hat Security Arsenal is full of information you can't afford to miss.


Sample Content

Online Sample Chapter

Secure Backup: Protecting Your Data

Downloadable Sample Chapter

Click below for Sample Chapter related to this title:

Table of Contents




1. Shrouded in Secrecy.
2. Computer Security Risks.

What Is at Risk.

Data, Time, and Money.



Resource Availability.

Why Risks Exist.

Buggy Code.

The User.

Poor Administration.

Exploiting Risks.

Moving On.

3. The Morris Worm Meets the Love Bug: Computer Viruses and Worms.


A Touch of History.

The Morris Worm.

When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.


When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.

CIH Chernobyl.

When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.


When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.


When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.


When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.


When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.

The Love Bug.

When It Hit and What It Did.

How and Why It Worked.

The Consequences.

How We Recovered.

Lessons Learned.



4. Local Storage.

Physical Security.

Cryptographic Security.

What Can Be Achieved with Cryptography.

Cryptography Is Not Enough.

Basic Encryption and Data Integrity.

Protecting Data with Passwords.

Graphical Passwords.

Cryptographic File Systems.

Case Studies.



EFS in Windows 2000.

Further Reading.

5. Remote Storage.

Remote Storage.

NFS Security.

Adding Security.

User Authentication.

Strengthening Passwords.

Access Control Lists and Capabilities.


Case Study.


Further Reading.

6. Secure Backup.

Secure Backups.

Physical Security.

Backup over a Network.

Key Granularity.

Backup Products.



Secure Backup Systems.



NetMass SystemSafe.


Safeguard Interactive.

Veritas Telebackup.

Deleting Backups.

Case Study.

The Client Software.

Incremental Backups.

Further Reading.


7. Setting up a Long-Term Association.

What Is Identity?

Identity in Cyberspace.

Exchanging Public Keys in Person.

Certification Authorities.

Public Key Certificates.

Certificate Hierarchies.

Long-Term Relationships within an Organization.

Global Trust Register.


Long-Term Relationships in the Wild.

Managing Private Keys.

Symmetric Keys.

Case Study.


Further Reading.

8. Deriving Session Keys.

Long-Term Keys Are Not Enough.

What Are Session Keys?

Key Exposure.

Perfect Forward Secrecy.

Security Associations.

Picking a Random Key.

Session Keys from Symmetric Long-Term Keys.


Another Approach.

Session Keys from Long-Term Public Keys.

Diffie-Hellman Key Exchange.

Session Keys in SSL.

Protocol Design and Analysis.

Case Study.

Clogging Attacks.

ISAKMP Exchanges.

Key Refreshment.

Primes in OAKLEY.

Further Reading.

9. Communicating Securely After Key Setup.

Protecting Information.



Which Layer Is Best for Security?


The Link Layer.

The Network Layer.

The Transport Layer.

The Application Layer.

Replay Prevention.

Case Study.



Further Reading.


10. Protecting a Network Perimeter.

Insiders and Outsiders.

Network Perimeter.

Benefits of Firewalls.

Types of Firewalls.

Packet Filters.

Application-Level Gateways.

Using the Firewall.

Configuring Rules.

Web Server Placement.

Exit Control.

Remote Access8.

Logging in Directly.

Dial-up Access.

VPN Access.

Web-Only Access.

Case Study.

Further Reading.

11. Defending against Attacks.

Bad Guys.



Denial of Service.


Defending against Mapping.

Monitoring the Traffic.

Intrusion Detection.

Defense against DDOS.

Other Tools.

Case Study.

Further Reading.


12. Protecting E-Commerce Transactions.

Credit Cards on the Web.

The SSL Protocol.

Protocol Overview.

Configuring a Browser.

Configuring a Server.




Case Study.

How Passport Works.

Risks of Passport.

Further Reading.

13. Protecting Privacy.

Online Privacy.

What Is at Risk?

E-Mail Privacy.

Protecting E-Mail with Cryptography.

Anonymous E-Mail.

How Is Personal Privacy Compromised?

Direct Methods.

Indirect Methods.

Defense Mechanisms and Countermeasures.

Protecting Data on Your Machine.

Protecting Credit Card Information.

Safeguarding Your Browsing History.

Hiding Your Surfing.

Posting Anonymously to the Web.

Case Study.


Further Reading.

Index. 0201711141T01 001.


Why I Wrote This Book

As a computer security expert at AT&T Labs, I often find myself meeting with members of IT departments of our large customers. This year, for example, I've met with, among others, the CIO of Ford Motor Company, the CTO of JP Morgan, and a Vice President of American Axle Manufacturing. In each case, they bring along an entourage of system administrators and other members of their team, and they come loaded with problems. How do I allow secure remote access to my site? How should I configure my firewall? How do employees store information securely on laptops? The list of questions goes on and on. I listen to them and offer my advice and expertise.

The customers always ask me what book I recommend to solve all of their problems. There are some good books on security out there. However, they are written from a disciplinary approach. There is usually a chapter on cryptography, a chapter on protocols, a chapter on SSL, and so on. So, I set out to write a book that directly answers the questions that these large IT departments face.

What sets this book apart from others is the problem-oriented approach. Each chapter starts out with a problem statement using Alice and sometimes Bob, borrowing these characters from the cryptography literature.

The book is divided into five parts. Each part is written to be self-contained, so there is some redundancy of information across parts. Within each part (except the first), there are chapters, each of which represents a problem. Within the chapter is a description of the threat model, explanations of the technologies involved, and some solutions. The chapters conclude with one or more case studies. The idea is to give the readers enough information to understand the problem in detail, to have the ability to evaluate solutions, and even to be able to solve the problem themselves.

Intended Audience

There are several different kinds of people who can benefit from this book. I have tried to identify the computer security problems that are the most common and the most interesting to study. Some of you will read this book to figure out the solution to a particular problem. Others will read it to educate themselves about certain risks. Whether you are a practicing information technology professional, a system administrator, a graduate student in computer science, or simply an end user, there is something for you in this book. Some problems that I cover are less complex and little technical training is needed to understand the solutions. Other problems require intricate technical solutions that may seem incomprehensible to someone without a computer science or math background. To facilitate your reading experience, I have identified each chapter by the level of difficulty and the intended audience. At the beginning of each chapter, I display icons that represent the intended audience. The leftmost icon is the most relevant audience for the chapter, and the icons are thus ordered from left to right.

The Surfer/End User Surfers or "end users" are those who surf the Web, read e-mail, and use computers in their everyday lives. They don't necessarily have any formal computer science training, but they are proficient in day-to-day uses of computers. For example, they know how to install software and how to change the settings in their browsers.

The IT Professional Information technology professionals are those who are quite knowledgeable about computers. They may be in charge of a large network deployment, programmers, system architects, or even managers. It is safe to assume that these people have a computer science or CIS degree, and that they have been working with computers for some time.

The Academic Academic are usually either professors or graduate students. Academics are usually interested in the technical details and the theory behind a solution, as much as in the solution itself. Academics are likely to consult other references to further understand the material, and the gory details are welcome, rather than feared.

The System Administrator System administrators are those who are often responsible for the security of a site. They are usually the ones putting out fires, and their jobs may be on the line if information is lost, or if a major break-in occurs. These people are interested in making sure that their systems are safe, and while they would normally love to study and understand the theory behind the solutions, there is no time for that. What they really want is to figure out exactly how to solve the problem that is pressing at the moment.

Each chapter in this book presents the solution to a problem that is important to some subset of these characters. While you may or may not fit exactly into one of these descriptions, I hope that the icons at the beginnings of the chapters will give you a good idea of what level of detail and complexity to expect when you read it.

Guide to the Book

There are five parts to the book:

Part I The first part is intended to motivate the rest of the book. No problems are identified here; rather, I address the issue of threat and why people need to worry about solving computer security problems.

  • Chapter 1 This chapter deals with the fact that it is difficult to get companies to admit to computer security incidents. As a result, it is hard to estimate the true damage from security incidents.
  • Chapter 2 This chapter covers what is at risk, in order to help the reader understand the threats.
  • Chapter 3 This chapter is unique in this book. Computer viruses and worms are the security problems that receive the most press and that people are most acutely aware of. Rather than focus on the problem and its solutions, I thought that I would use viruses and worms to help the reader appreciate the level of threat posed to computers and networks. The chapter puts these attacks in perspective and explains how they work.

Part II The second part deals with secure storage of information. The following problems are addressed:

  • Chapter 4 Alice has some important information that she wishes to store on her computer. How does she protect the data so that even if her machine falls into the hands of an adversary, the data will remain confidential, and she will be able to detect any tampering with the information? Ideally, Alice would like a solution that is easy to use and is applicable to multiple applications.
  • Chapter 5 Alice uses a file system that stores files remotely. How can she protect the authenticity and confidentiality of the data from an adversary who is on the network or in control of the remote file server?
  • Chapter 6 Alice considers her data very important. She has been around long enough to experience the painful loss of files due to arbitrary failures of software and hardware. The data on Alice's machine are of a very sensitive nature. She is very good at physically securing her machine and protecting her data while it is in her possession, but how does she back up her data in such a way that the backups are reliable and also secure?

Part III The third part is the most technical in the book. It deals with transferring information securely on vulnerable networks. The following problems are addressed:

  • Chapter 7 How does Alice identify Bob in such a way that she can guarantee that future communications with Bob are identifiable and so that no other party is able to establish communication with Alice that appears to be from Bob? In addition, if Alice realizes that some other party, Evil, may potentially impersonate her, how does Alice recover to limit the damage that can be caused by Evil?
  • Chapter 8 Assume that Alice and Bob have a long-term association. They either know each other's public keys, share a symmetric long-term key with a trusted authority, or share a symmetric long-termkey with each other. How do Alice and Bob securely establish symmetric session keys to protect their information?
  • Chapter 9 Assume that Alice and Bob have session keys for encryption and authentication. How do they protect their communication? Where in the protocol stack is the best place to put their security?

Part IV The fourth part of this book has to do with protecting against network threats. This includes setting up firewalls, detecting intrusions, and dealing with denial-of-service attacks. The following problems are addressed:

  • Chapter 10 Alice is in charge of the security of a network. The network is too large and complex for her to harden every host and protect network resources from attack. How does she define a perimeter, set a uniform policy for the network, and defend against malicious external attacks? Once she defines the perimeter, how does she allow remote access for legitimate users while excluding others?
  • Chapter 11 Alice is in charge of the security of a network. How does she defend a network against attacks? How does she detect intrusions and respond? How can she deal with massive denial-of-service attacks?

Part V The fifth and final part of the book deals with online commerce and privacy. The part covers issues such as using credit cards on the Web and the privacy of Web browsing. The following problems are addressed:

  • Chapter 12 Alice runs an online store. How does she make sure that her customers can shop online without the threat of their credit cards being stolen by an active attacker on the network? She would like to add security while not adversely affecting the performance of her server. Bob likes to shop online. Should he put his credit card into a Web form? What is he risking by doing so?
  • Chapter 13 Alice likes to use the Internet. She browses the Web on interesting topics, purchases things online, participates in e-mail discussion groups and chats, and maintains her own Web site. How does Alice preserve the privacy of her personal information? How does she prevent third parties from collecting information about her and tracking her online presence?

How to Read This Book

There are several ways to read this book. If you are reading it because you have some of the problems mentioned here, then the best thing to do is to jump to the chapter that addresses your problem and read it. If it is in the middle of a part, you may find that some of the material in the earlier chapters is needed, so I recommend that you find the part that contains your problem and read that whole part.

If you are interested in learning about all of the problems, or security in general, then read the book from start to finish. There is no dependence on order in the parts, so you can read them in whatever order you like, but it is best to read the chapters within a part in the order they appear.

At the end of each chapter there is a listing of all of the references that are cited within the text. The books, articles, and Web sites are listed in the order that they appear. I have done my best to reference only Web sites that I expect to be around for a while, and I have tested all of them several times since I wrote each section, but of course, the Web is dynamic, so there are no guarantees. I maintain a Web site with all of the links in the book, and I keep it as up to date as possible. The URL is http://white-hat.org/. Please let me know if you find a broken link there. At the end of the book is the full bibliography listed by the numbers that are used for citation within the text.

There is a glossary of acronyms used throughout the book, so if you come across a term you do not understand, it may help to check there.

Avi Rubin



A     Absent, 216-219, 220
    Access control. See Access control lists (ACLs); Capabilities model
    Access control lists (ACLs), 86, 93-96
       firewalls and, 201, 203-204, 223
    Access control matrices, 95, 96
    ACSnet, xxv
    ActiveX control attacks, 35-36, 233
    Address Resolution Protocol (ARP), 234, 241, 242
    Adleman, Len, 17
    Administrator. See System administrator
    Advanced Encryption Standard (AES), 55, 56-58, 180
       in backups, 112
       Web site, 180
    Aggressive exchange, 173
    Algebraic rewriting systems, 166
    Algorithm independence, 170
    Algorithms, 54, 56. See also Advanced Encryption Standard (AES); Data Encryption Standard (DES); MD5 algorithm; RSA algorithm
       Blowfish, 106, 108
       CAST, 57, 106, 109
       DESX, 79, 80
       MARS, 57
       Quicksort, 148
       RC series, 55, 57, 265, 270
       Secure Hash (SHA), 58, 59, 60, 144, 149, 162, 186
       Serpent, 57
       Twofish, 57, 181
    American Express, 261
    Analyzer, 243
    Andrew File System (AFS), 86-87, 96
       access control, 93-96
       Needham and Schroeder protocol, 151
       passwords, 87-92
    Anonymity and session keys, 169-170, 172
    Anonymizer, 294
    Anonymous Diffie-Hellman, 158-160
    Anonymous posting, 296-298
    Anonymous remailers, 287-288
    Anonymous surfing, 294-295, 296
       attacks, 295-296
    AntiSniff, 243
    Antivirus Research Center, 39
    Antivirus software. See Virus protection software
    Apache-SSL, 268
    Application-layer security, 181, 184, 186-187
       remote access, 212
    Application-level data
       firewalls and, 203
       sniffers, 241
    Application-level gateways, 201, 202, 203-204
       mapping and, 238
       toolkits, 204
    ARPAnet, xxv
    ASN.1 notation, 127
    Asymmetric cryptography. See Cryptography, public key
       @backup, 108
       @stake, 88
    Attack programs, 85, 108, 229-230
       DDOS, 237
       hijacking, 234
       ICMP, 203
       mapping, 229, 250-253
       password, 88
       proxies, 231-232
       remote control, 12, 230-231, 232
       sniffers, 105, 209, 238, 239-243
       wardialers, 212
    Attacks, 5, 227, 229-237, 250-253. See also specific attacks
       defenses against, 237-250
       Java/JavaScript and, 295-296
       single sign-on, 278-280
    Audit systems, 198
       E-commerce privacy, 292
       financial institutions, 4
    Augmented Key Exchange (AKE), 90-91, 92
    Authentication, 48-49, 179, 180. See also Cryptography
       in backup programs, 108, 110, 114
       confidentiality vs., 54, 60, 180
       credentials, 63
       exit control, 206
       IPsec, 192-193
       MACs, 58-61, 144-145, 192-193
       NFS, 86
       session keys, 143-145
    Authentication Header (AH), 189-190, 192-193
    Authentication-only exchange, 172-173
    Authentication, server, 121, 209
       SFS, 97, 98
       SSL/TLS, 261
    Authentication, user, 87-92, 179, 180. See also Identity; Passwords
       backup and, 105, 108, 109, 112-113, 114
       biometrics, 209-210
       certificates, 126-129, 130-131, 133-140
       confidentiality vs., 154, 190
       long-term relations, 120-141, 143-175
       NFS, 85, 86
       public key cryptography, 90, 120-132, 133-140, 157-175
       register, 129-130
       remote access, 209-219, 220
       session keys, 143-175
       SFS, 97
       SSL/TLS, 261
       symmetric cryptography, 132, 149-156
    Authorization certificates, 126. See also Permissions
    Axent Technologies, 244
       Intruder Alert, 246
       Net Prowler, 246

B     Babylonia, 37-39
    Back doors, 12, 230-231
    BackJack, 109
    BackOrifice (BO2K), 12, 230-231, 232
    Backup database, incremental, 113-114
    Backups, 48, 49, 103-111
       deleting, 110-111
       in EFS, 79
       encrypted, 104, 122
       exit control as, 206
       incremental, 109, 113-114
       in NFS, 85
       product checklist, 107
       public key certificates, 137
       remote, 105-106
       restoring, 112-113, 114
       system design, 111-114
       threat model, 103
       unattended, 106, 108, 109, 112
       viruses/worms and, 31, 33, 34, 36
       Web sites, 107, 108, 109, 110
    Bad guys, 227



Click below for Errata related to this title:

Submit Errata

More Information

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020