LogicMonitor Customers Hit By Hackers, Because of Default Passwords

Some customers of the network security company LogicMonitor have been hacked due to the use of default passwords, TechCrunch reports. From the report: A LogicMonitor spokesperson confirmed to TechCrunch that there's "a security incident" affecting some of the company's customers. "We are currently addressing a security incident that has affected a small number of our customers. We are in direct communication and working closely with those customers to take appropriate measures to mitigate impact," LogicMonitor's spokesperson Jesica Church said in a statement.

The incident is due to the fact that, until recently, LogicMonitor was assigning customers default -- and weak -- passwords such as "Welcome@" plus a short number, according to a source at a company that was impacted by the incident, and who asked to remain anonymous as they were not authorized to speak to the press.

Huh.

[Black Parrot]

Doesn't take much "hacking" if you know the password.

Uh, what?

[msauve]

Who buys a security product and doesn't change the password(s)? This is user error.

Re:

[Junta]

While strictly true, if I'm doing an offering where it must provide a default password for some reason, it'll generate a password like '2mpB3M45w4D5Vaa7/8iW'. Even if the user never bothers to log in, the password is still pretty much safe from guessing. Meanwhile I've known folks that have a standby like 'ChangeMe@123' and users will just leave that alone for ever, if they are allowed to. Meanwhile even if not forced to change their password, they absolutely will be looking to change it when faced with

Re:

[msauve]

>if I'm doing an offering where it must provide a default password for some reason, it'll generate a password like '2mpB3M45w4D5Vaa7/8iW'.

Do you print the default on a label so they can get into a defaulted box 5 years later? I've had devices which use the serial number as part of a default password, which makes it unique but easily recovered.

> 'ChangeMe@123' and users will just leave that alone for ever, if they are allowed to.

Stupidity should be painful.

Re:

[saloomy]

I have always liked passwords that are designed to be set up by default. When you open a router out of the box and log in for the first time, why is a password even needed? The setup dialogs should prompt you to SET the password.

Re:

[Junta]

Depends on the service.

The device might be usable without actually going through a 'setup' wizard. If a user buys a device and just uses it at defaults, then a wide open setup wizard could just stay there until an attacker uses it.

If the service/device is utterly useless until you actually go through the setup process, then sure. If there's a default usable behavior, well you might not get to force the user to take care of the security.

Re:

[saloomy]

This is a fair point.

Re:

[bjwest]

Exactly. You need some way to access new equipment, so the choice for new devices is either 1) a default password, or 2) no password at all. Granted, there should be a setup routine on first power up that forces the user to enter a secure password before continuing, but that's more expected on consumer level stuff. Any corporate level equipment should be being set up by a qualified IT department or a manufacturer representative there to train the IT department on the use/set up procedures of the device.

Re:

[quonset]

For some of the copiers, Xerox in particular, the default password is the serial number of the machine. Case sensitive. That would seem to be a logical starting point.

Even my dad's wireless password is the serial number of his router.

Re:

[OrangeTide]

Simple UI feature, the first login should prompt to change the password. On Linux I do this by setting the user's password expire date with "chage". You can also choose to have it warn you for a number of days and to force you after the grace period, or just warn you forever. For those who implement their own password UIs, feel free to copy Unix's 40 year history on the subject as a base line of minimum feature set.

Re:

[ShanghaiBill]

the choice for new devices is either 1) a default password, or 2) no password at all.

No, those are not the only choices.

It is common for many new devices to have a different built-in password for each device.

My router came with a sticker that had a serialized SSID and a unique password. I changed both, but I would have been reasonably secure even if I hadn't. A hacker would only get in if they had access to the manufacturer's data.

By using the same/weak default password for every device, LogicMonitor was negligent and not following industry best practices.

Re:

[bjwest]

the choice for new devices is either 1) a default password, or 2) no password at all.

No, those are not the only choices.

It is common for many new devices to have a different built-in password for each device.

My router came with a sticker that had a serialized SSID and a unique password. I changed both, but I would have been reasonably secure even if I hadn't. A hacker would only get in if they had access to the manufacturer's data.

By using the same/weak default password for every device, LogicMonitor was negligent and not following industry best practices.

You just described an instance of choice 1. Even a unique default password is a default password.

Re:

[Chris Mattern]

Who makes a security product that doesn't force you change your password when you install it?

Yes, it's user error, but it's the job of a UI to make user error difficult.

Re:

[gweihir]

This is stupid user in collaboration with stupid vendor. Of course any reasonable security product will either come with good default passwords or force a change immediately. I mean this is not an ElCheapo crappy chinese web-cam, is it?

Re:

[ctilsie242]

The fault really can be both sides. If a product has to be connected to the Internet before it is configurable, then there is a chance it can be picked up and used. Especially if the device is something that doesn't really require being logged onto, and is a passive item.

Some countries (The UK, IIRC) have passed laws requiring that a device have an initial password be unique, such as the MAC of the device, or the device, as soon as it is configured, will require a custom username/password, or at least a c

Re:

[msauve]

> If a product has to be connected to the Internet before it is configurable, then

it is defective. FTFY.

Password and then some.

[The New Guy 2.0]

You could get away with a default password if you locked it down to the same IP range as the signup form....

ick

[awwshit]

I was an early LM customer. I seriously do not miss using them. One weekend they enabled a bunch of new alerts, and my text messages blew up - left a family event to find nothing wrong but broken monitoring.

Re:

[laughingskeptic]

Having worked in the industry I know it is likely those added alerts weren't for security, but because a sales person needed a deploy demo to generate alerts. Customers don't buy security equipment if the demo doesn't generate alerts -- it doesn't matter how dumb the alerts are, *something* has to happen for the sales person to make the sale. They probably had a whale they were trying to hook.

Re:

[awwshit]

So maybe deploy the change to your sales/test tenant and not globally to all tenants. Maybe give your customers the option to turn on new features themselves so they can plan for change. When you've built processes around a tool and then that tool suddenly changes on you it is not good, SaaS needs better models.

Sooooo

[gweihir]

This is a product that is _how_ expensive, exactly, and they are too lazy/stupid/incompetent to make good initial passwords for their customers?

Idea.

[Motleypuss]

Someone should invent a system that sprays devs with water whenever they use default crappy passwords. Would it be so difficult to have a different password per device and just make a note of it for the customer somehow? If it can be done for bank cards...