This may be of interest to most of the board.
Microsoft has a free security tool that will inform you of some of your (Windows) system's weaknesses - most notably, ACCOUNTS ON THE SYSTEM THAT HAVE NO PASSWORD. http://www.microsoft.com/en-us/download/details.aspx?id=7558
This saved my bacon once. I had installed a different security tool from a well respected vendor. A few days later, I found Microsoft's tool and it informed me that the first tool had created an administrator level account for its own use and hadn't given the account a password. (See what can happen when you download something and tell it that you trust the vendor? And this was a PROMINENT security company. Rapid7, I think.) Talk about an asinine mistake for a security company to make! It was pure luck that I found the account as soon as I did - because there was nothing except an easily-breached home firewall between my computer and the rest of the world.
Here's an imaginary story that never really happened, got that? But a few years ago, a user on an internet forum like this one ticked me off. I hosted an image and made it available to the user, then captured the ip addresses of the users who accessed it. I already knew the part of the country where the user lived, so http://ipgetinfo.com/ told me which system to target.
I scanned the target's computer (grab a free copy of NESSUS if you'd like to see how easy that is), found an open port indicative of vulnerable (unpatched) software, exploited the vulnerability and promptly got into an admin account with a very predictable password.
I won't go into any further details (because this was an imaginary event, right? lol.) But getting onto an internet user's system is as easy as that if the target is clueless.
Most people are clueless.
Something everyone should keep in mind: When Microsoft does its patching, it patches the operating system and the OS tools. It's up to you to patch your software - and holes in the software can be every bit as bad as holes in the OS. I'm sure everybody here is diligent about keeping their application patch levels current. Right?
| 
