Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: [Security Weekly] [advisory-board-open] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Aaron Moss <kerrjar () gmail com>
Date: Tue, 1 Jul 2014 11:58:15 -0500

It seems like if you have a written statement specifically addressing what
methods you will be testing with (including the phishing emails) from the
business that you're performing the test against, then this would be
considered an Opt-In from the business itself. It would need to come from
someone who has the authority to allow it, but that seems like it would
fit.

Naturally, check with your legal counsel on this, and good luck!

Aaron


On Tue, Jul 1, 2014 at 11:52 AM, Jamil Ben Alluch <jamil () autronix com>
wrote:

That's what I am wondering.
I've read the CASL in its entirety and it gives very little room to do
anything without an opt-in.
Then again fake opt-ins could be crafted, but since you are sending to
individual employees user's addresses, I am not quite sure how it would
fall into the legislation, because, from my understanding, it would still
qualify as commercial communication.
ᐧ

*--*
*Jamil Ben Alluch, ing. jr, GCIH*
 [image: Autronix] <http://www.autronix.com>
*Information Technology & Security Consulting*
jamil () autronix com
+1-819-923-3012
+1-877-564-7656 e.123


On Tue, Jul 1, 2014 at 12:03 PM, Ty Purcell <TPurcell () ffin com> wrote:

 Jamil,

Is there the possibility of properly crafting the Statement of Work and
Rules of Engagement to comply with the law while also meeting your pentest
operational needs?

Ty





------------------------------
*From:* gpwn-list on behalf of Jamil Ben Alluch
*Sent:* Tuesday, July 01, 2014 10:36:16 AM
*To:* advisory-board-open () lists sans org; gpwn-list () lists sans org;
Security Weekly Mailing List
*Subject:* [GPWN-list] Pen Testing and the Canadian anti-spam law

 Hello,

 I wanted to get some points of view in regards to the newly implemented
anti-spam law that entered into effect today in Canada.

 There are cases where during pen-testing projects, we are in a way
required to send emails in order to test out phishing attempts, malware
downloads etc.

 These would have to be crafted in a way that is appealing to the
targeted end-user and often will have some kind of appealing sales
connotation or fake business application.

 Now according to the CASL <http://fightspam.gc.ca/>, this would entitle
senders to up to CA$1,000,000 in fines, if you are an individual, and
$10,000,000 in fines if you are a business.

 Obviously in our line of work, in order to perform our duties as
pen-testers, this could turn out to be a problem and remove the possibility
of trying out sets of attack vectors relying on emails.

 I'd like to get some opinions on this matter.

 Best Regards,

 *--*
*Jamil Ben Alluch, ing. jr, GCIH*
[image: Autronix] <http://www.autronix.com>
 *Information Technology & Security Consulting*
jamil () autronix com
+1-819-923-3012
+1-877-564-7656 e.123
  ᐧ



_______________________________________________
advisory-board-open mailing list
advisory-board-open () lists sans org
https://lists.sans.org/mailman/listinfo/advisory-board-open

If you want to unsubscribe from this list, navigate to:

https://lists.sans.org/mailman/listinfo/advisory-board-open

To unsubscribe, you'll need your list password.
If you forgot your password, you can get a reminder at the bottom of

https://lists.sans.org/mailman/listinfo/advisory-board-open


_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]