mailing list archives
Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Ty Purcell <TPurcell () ffin com>
Date: Tue, 1 Jul 2014 16:03:19 +0000
Is there the possibility of properly crafting the Statement of Work and Rules of Engagement to comply with the law
while also meeting your pentest operational needs?
From: gpwn-list on behalf of Jamil Ben Alluch
Sent: Tuesday, July 01, 2014 10:36:16 AM
To: advisory-board-open () lists sans org; gpwn-list () lists sans org; Security Weekly Mailing List
Subject: [GPWN-list] Pen Testing and the Canadian anti-spam law
I wanted to get some points of view in regards to the newly implemented anti-spam law that entered into effect today in
There are cases where during pen-testing projects, we are in a way required to send emails in order to test out
phishing attempts, malware downloads etc.
These would have to be crafted in a way that is appealing to the targeted end-user and often will have some kind of
appealing sales connotation or fake business application.
Now according to the CASL<http://fightspam.gc.ca/>, this would entitle senders to up to CA$1,000,000 in fines, if you
are an individual, and $10,000,000 in fines if you are a business.
Obviously in our line of work, in order to perform our duties as pen-testers, this could turn out to be a problem and
remove the possibility of trying out sets of attack vectors relying on emails.
I'd like to get some opinions on this matter.
Jamil Ben Alluch, ing. jr, GCIH
Information Technology & Security Consulting
jamil () autronix com<mailto:jamil () autronix com>
securityweekly mailing list
securityweekly () mail securityweekly com
Main Web Site: http://pauldotcom.com