PaulDotCom mailing list archives
Re: [Security Weekly] [advisory-board-open] [GPWN-list] Pen Testing and the Canadian anti-spam law
From: Aaron Moss <kerrjar () gmail com>
Date: Tue, 1 Jul 2014 11:58:15 -0500
It seems like if you have a written statement specifically addressing what methods you will be testing with (including the phishing emails) from the business that you're performing the test against, then this would be considered an Opt-In from the business itself. It would need to come from someone who has the authority to allow it, but that seems like it would fit. Naturally, check with your legal counsel on this, and good luck! Aaron On Tue, Jul 1, 2014 at 11:52 AM, Jamil Ben Alluch <jamil () autronix com> wrote:
That's what I am wondering. I've read the CASL in its entirety and it gives very little room to do anything without an opt-in. Then again fake opt-ins could be crafted, but since you are sending to individual employees user's addresses, I am not quite sure how it would fall into the legislation, because, from my understanding, it would still qualify as commercial communication. ᐧ *--* *Jamil Ben Alluch, ing. jr, GCIH* [image: Autronix] <http://www.autronix.com> *Information Technology & Security Consulting* jamil () autronix com +1-819-923-3012 +1-877-564-7656 e.123 On Tue, Jul 1, 2014 at 12:03 PM, Ty Purcell <TPurcell () ffin com> wrote:Jamil, Is there the possibility of properly crafting the Statement of Work and Rules of Engagement to comply with the law while also meeting your pentest operational needs? Ty ------------------------------ *From:* gpwn-list on behalf of Jamil Ben Alluch *Sent:* Tuesday, July 01, 2014 10:36:16 AM *To:* advisory-board-open () lists sans org; gpwn-list () lists sans org; Security Weekly Mailing List *Subject:* [GPWN-list] Pen Testing and the Canadian anti-spam law Hello, I wanted to get some points of view in regards to the newly implemented anti-spam law that entered into effect today in Canada. There are cases where during pen-testing projects, we are in a way required to send emails in order to test out phishing attempts, malware downloads etc. These would have to be crafted in a way that is appealing to the targeted end-user and often will have some kind of appealing sales connotation or fake business application. Now according to the CASL <http://fightspam.gc.ca/>, this would entitle senders to up to CA$1,000,000 in fines, if you are an individual, and $10,000,000 in fines if you are a business. Obviously in our line of work, in order to perform our duties as pen-testers, this could turn out to be a problem and remove the possibility of trying out sets of attack vectors relying on emails. I'd like to get some opinions on this matter. Best Regards, *--* *Jamil Ben Alluch, ing. jr, GCIH* [image: Autronix] <http://www.autronix.com> *Information Technology & Security Consulting* jamil () autronix com +1-819-923-3012 +1-877-564-7656 e.123 ᐧ_______________________________________________ advisory-board-open mailing list advisory-board-open () lists sans org https://lists.sans.org/mailman/listinfo/advisory-board-open If you want to unsubscribe from this list, navigate to: https://lists.sans.org/mailman/listinfo/advisory-board-open To unsubscribe, you'll need your list password. If you forgot your password, you can get a reminder at the bottom of https://lists.sans.org/mailman/listinfo/advisory-board-open
_______________________________________________ securityweekly mailing list securityweekly () mail securityweekly com http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] Pen Testing and the Canadian anti-spam law Jamil Ben Alluch (Jul 02)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Ty Purcell (Jul 02)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Jamil Ben Alluch (Jul 02)
- Re: [Security Weekly] [advisory-board-open] [GPWN-list] Pen Testing and the Canadian anti-spam law Aaron Moss (Jul 02)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Jamil Ben Alluch (Jul 02)
- Re: [Security Weekly] [advisory-board-open] Pen Testing and the Canadian anti-spam law Adrien de Beaupre (Jul 09)
- Re: [Security Weekly] [GPWN-list] Pen Testing and the Canadian anti-spam law Ty Purcell (Jul 02)