In another case, Havelt and his team were able to hack into a large manufacturer's HD security cameras. Since they could control them, and since five or six of them were pointed at desks, "and they have this 10X optical zoom, we could zoom in on keyboards and desks, harvest passwords and log into other systems."
Sometimes, the vulnerabilities are, or should be, ridiculously obvious. "Things like user names and passwords that are the same, or a network account with a password of 'admin,'" he says.
"I wish I could tell you that these are isolated instances, but they're not. There are thousands of cases."
So what should the prudent IT manager do? Havelt says one problem is that "there are an inordinate number of organizations that are opposed to real pen testing. They try to limit it to a couple of machines at specific times. That's not how attacks work.
"I understand the realities of business," he says. "But it's like going to a doctor for a complete physical and telling him only to look at your hands."
Beyond that, Havelt says better security requires, "carrying things out to their logical conclusion -- looking at a vulnerability and thinking about what can be done with it."
Or as a recently departed genius CEO was fond of saying: Think different.