So I have said for years as everyone in the security industry has “security is as good as your weakest link”. A couple of auditors for a credit union have performed a very real example. They laid USB drives where employees would find them that had trojans on them. These trojans then emailed persaonal info back out to the auditors. The easy way to audit eh? That is also another example of why anything on your systems not needed to perform business functions should be turned off. I don’t just mean inbound listeners and services but outbound as well. If a user doesn’t HAVE to have email to to their job don’t install it. It would help lessen the impact of situations like this. Remember the biggest key in being secure is to imagine that anything and everything can be exploited. The only truly safe computer is one that’s unplugged, and even then only if the hardrive doesn’t get stolen.