Re: [Security Weekly] [advisory-board-open] [GPWN-list] Pen Testing and the Canadian anti-spam law

[Aaron Moss <kerrjar () gmail com>]

It seems like if you have a written statement specifically addressing what
methods you will be testing with (including the phishing emails) from the
business that you're performing the test against, then this would be
considered an Opt-In from the business itself. It would need to come from
someone who has the authority to allow it, but that seems like it would
fit.

Naturally, check with your legal counsel on this, and good luck!

Aaron


On Tue, Jul 1, 2014 at 11:52 AM, Jamil Ben Alluch <jamil () autronix com>
wrote:

> That's what I am wondering.
> I've read the CASL in its entirety and it gives very little room to do
> anything without an opt-in.
> Then again fake opt-ins could be crafted, but since you are sending to
> individual employees user's addresses, I am not quite sure how it would
> fall into the legislation, because, from my understanding, it would still
> qualify as commercial communication.
> ᐧ
>
> *--*
> *Jamil Ben Alluch, ing. jr, GCIH*
>  [image: Autronix] <http://www.autronix.com>
> *Information Technology & Security Consulting*
> jamil () autronix com
> +1-819-923-3012
> +1-877-564-7656 e.123
>
>
> On Tue, Jul 1, 2014 at 12:03 PM, Ty Purcell <TPurcell () ffin com> wrote:
>
> >  Jamil,
> >
> > Is there the possibility of properly crafting the Statement of Work and
> > Rules of Engagement to comply with the law while also meeting your pentest
> > operational needs?
> >
> > Ty
> >
> >
> >
> >
> >
> > ------------------------------
> > *From:* gpwn-list on behalf of Jamil Ben Alluch
> > *Sent:* Tuesday, July 01, 2014 10:36:16 AM
> > *To:* advisory-board-open () lists sans org; gpwn-list () lists sans org;
> > Security Weekly Mailing List
> > *Subject:* [GPWN-list] Pen Testing and the Canadian anti-spam law
> >
> >  Hello,
> >
> >  I wanted to get some points of view in regards to the newly implemented
> > anti-spam law that entered into effect today in Canada.
> >
> >  There are cases where during pen-testing projects, we are in a way
> > required to send emails in order to test out phishing attempts, malware
> > downloads etc.
> >
> >  These would have to be crafted in a way that is appealing to the
> > targeted end-user and often will have some kind of appealing sales
> > connotation or fake business application.
> >
> >  Now according to the CASL <http://fightspam.gc.ca/>, this would entitle
> > senders to up to CA$1,000,000 in fines, if you are an individual, and
> > $10,000,000 in fines if you are a business.
> >
> >  Obviously in our line of work, in order to perform our duties as
> > pen-testers, this could turn out to be a problem and remove the possibility
> > of trying out sets of attack vectors relying on emails.
> >
> >  I'd like to get some opinions on this matter.
> >
> >  Best Regards,
> >
> >  *--*
> > *Jamil Ben Alluch, ing. jr, GCIH*
> > [image: Autronix] <http://www.autronix.com>
> >  *Information Technology & Security Consulting*
> > jamil () autronix com
> > +1-819-923-3012
> > +1-877-564-7656 e.123
> >   ᐧ
>
>
> _______________________________________________
> advisory-board-open mailing list
> advisory-board-open () lists sans org
> https://lists.sans.org/mailman/listinfo/advisory-board-open
>
> If you want to unsubscribe from this list, navigate to:
>
> https://lists.sans.org/mailman/listinfo/advisory-board-open
>
> To unsubscribe, you'll need your list password.
> If you forgot your password, you can get a reminder at the bottom of
>
> https://lists.sans.org/mailman/listinfo/advisory-board-open
_______________________________________________
securityweekly mailing list
securityweekly () mail securityweekly com
http://mail.securityweekly.com/cgi-bin/mailman/listinfo/securityweekly
Main Web Site: http://pauldotcom.com