Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Jamil Ben Alluch <jamil () autronix com>
Date: Tue, 1 Jul 2014 12:52:53 -0400

That's what I am wondering.
I've read the CASL in its entirety and it gives very little room to do
anything without an opt-in.
Then again fake opt-ins could be crafted, but since you are sending to
individual employees user's addresses, I am not quite sure how it would
fall into the legislation, because, from my understanding, it would still
qualify as commercial communication.

*Jamil Ben Alluch, ing. jr, GCIH*
[image: Autronix] <http://www.autronix.com>
*Information Technology & Security Consulting*
jamil () autronix com
+1-877-564-7656 e.123

On Tue, Jul 1, 2014 at 12:03 PM, Ty Purcell <TPurcell () ffin com> wrote:


Is there the possibility of properly crafting the Statement of Work and
Rules of Engagement to comply with the law while also meeting your pentest
operational needs?


*From:* gpwn-list on behalf of Jamil Ben Alluch
*Sent:* Tuesday, July 01, 2014 10:36:16 AM
*To:* advisory-board-open () lists sans org; gpwn-list () lists sans org;
Security Weekly Mailing List
*Subject:* [GPWN-list] Pen Testing and the Canadian anti-spam law


 I wanted to get some points of view in regards to the newly implemented
anti-spam law that entered into effect today in Canada.

 There are cases where during pen-testing projects, we are in a way
required to send emails in order to test out phishing attempts, malware
downloads etc.

 These would have to be crafted in a way that is appealing to the
targeted end-user and often will have some kind of appealing sales
connotation or fake business application.

 Now according to the CASL <http://fightspam.gc.ca/>, this would entitle
senders to up to CA$1,000,000 in fines, if you are an individual, and
$10,000,000 in fines if you are a business.

 Obviously in our line of work, in order to perform our duties as
pen-testers, this could turn out to be a problem and remove the possibility
of trying out sets of attack vectors relying on emails.

 I'd like to get some opinions on this matter.

 Best Regards,

*Jamil Ben Alluch, ing. jr, GCIH*
[image: Autronix] <http://www.autronix.com>
 *Information Technology & Security Consulting*
jamil () autronix com
+1-877-564-7656 e.123

securityweekly mailing list
securityweekly () mail securityweekly com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]