'Chinese cyberspies' target energy giants

Judging From My Experience With Corporate Germany

...this report could be fully true, except for the "McAfee solutions for the problem" part.

Instead of having a proper (ie speedy, pervasive) patch policy in place, the corpos have two-factor-authentication, x-ray machines to check the bag you bring in and restrictive physical access policies.

Worker's PCs have age-old firefoxes, age-old Flash and age-old JavaWebstart versions installed. Exfiltration by Google Mail's SSL is certainly possible. Spearphishing would be the easiest thing one can imagine.

One example:

http://www.businessweek.com/pdfs/2008/0816_spearphishing.pdf

The management people don't want to be bothered with the problem, they do not want to develop social and technological solutions which would reconcile security with business efficiency. All they are willing to do is to shell out money for some Magical Device, which would fend off the threat at the firewall. Because this does not require interacting with these smelly unshaved computer folks.

I know that there exist sophisticated firewall-level detection technologies, but they do not block an attacker who is aware of them. For example, a Firefox-based malware could first use an exploit in the Javascript engine to start itself and then use another exploit to persist itself into the cache of Firefox. Only after running for a long time (hours, days) the exploit would do its malicious work. How is a firewall-based "Firefox Simulation Sandbox" supposed to detect that ?

A sophisticated AppArmor- or Sandboxie-based solution could thwart this attack. But that would require more than writing a cheque. It would require these "skilled executives" to use their brain cells. Horrible !