so. NONE of you could keep your goofy little FUCKING MOUTHS SHUT. COULDN'T YOU.

seen from Slovenia

seen from Slovenia

seen from United States

seen from Maldives

seen from Australia

seen from Slovenia

seen from United States
seen from Maldives

seen from Belgium

seen from United Kingdom
seen from Netherlands
seen from United States

seen from Israel
seen from United States

seen from Slovenia
seen from Germany

seen from United States

seen from Slovenia
seen from United Kingdom
seen from China
so. NONE of you could keep your goofy little FUCKING MOUTHS SHUT. COULDN'T YOU.
7 Powerful Fixes for Digiever DS-2105 Pro CVE-2023-52163
Your CCTV NVR Is a Server (Treat It Like One)
If you manage CCTV or NVR gear in a small business, treat it like a production server—not a “set-and-forget” appliance. CISA added the Digiever DS-2105 Pro NVR vulnerability (CVE-2023-52163) to the Known Exploited Vulnerabilities (KEV) catalog amid active exploitation, proving that “non-IT” devices can quickly become botnet footholds and lateral-movement launchpads.
This post turns the Digiever DS-2105 Pro incident into an actionable IoT patch hygiene program SMBs can run without a huge budget—with configs, scripts, and audit-friendly evidence you can hand to leadership, auditors, or your MSP.
TL;DR: The 7-Fix Playbook
Find every NVR (including Digiever DS-2105 Pro) and assign an owner
Remove internet exposure: no port forwards, no inbound WAN to NVRs
Disable UPnP so routers don’t reopen ports automatically
Isolate NVRs on a dedicated CCTV VLAN and restrict egress (default-deny)
Lock down admin access: unique creds, least privilege, MFA via VPN/jump
Patch on a KEV-driven emergency workflow; use compensating controls if delayed
Turn on budget detection: DNS spikes, outbound beacons, unusual destinations
1) Why NVRs Get Owned (and Why It Keeps Happening)
Most NVR compromises follow a repeatable pattern: the device is reachable from the internet, firmware is outdated, and the network treats it like a trusted internal host. Once an attacker lands, they can drop a botnet payload, pivot into file shares, or exfiltrate footage.
Common exposure patterns
NVR web UI exposed to WAN (port-forwarding, public IP, or cloud relay)
UPnP enabled → automatic inbound mappings
Default/reused admin credentials; shared “installer” accounts
Flat network: NVR sits beside laptops, servers, POS
No centralized logging: compromise looks like “normal traffic”
2) Operationalize CISA KEV for Edge/IoT (Not Just Servers)
Many SMBs treat CISA KEV as an IT problem for Windows and servers. That’s the mistake. KEV additions should be “drop-everything” for edge/IoT too: NVRs, routers, VPN gateways, printers, NAS.
Minimum viable KEV workflow (SMB-friendly)
Triage (30 minutes): Do we have the product/model/version anywhere?
Decide (2 hours): Patch now, isolate now, or disable exposure now
Execute (48 hours): Implement the fix + capture evidence (exports/screenshots)
Close the loop: Validate externally (reachability) + internally (logs/alerts)
KEV mapping script (offline, no external links)
Keep a locally synced KEV file (JSON/CSV) inside your environment and compare it to your IoT inventory:
# kev_match.py import csv import json from pathlib import Path KEV_JSON = Path("kev_catalog.json") # locally synced copy ASSETS_CSV = Path("iot_inventory.csv") # your CMDB-lite export def norm(s: str) -> str: return (s or "").strip().lower() kev = json.loads(KEV_JSON.read_text(encoding="utf-8")) kev_rows = kev.get("vulnerabilities", kev) hits = [] with ASSETS_CSV.open(newline="", encoding="utf-8") as f: for row in csv.DictReader(f): product = norm(row.get("product") or row.get("vendor_model")) vendor = norm(row.get("vendor")) for k in kev_rows: if norm(k.get("product")) in product and norm(k.get("vendor")) in vendor: hits.append({ "asset_id": row.get("asset_id"), "hostname": row.get("hostname"), "product": row.get("product") or row.get("vendor_model"), "cveID": k.get("cveID") or k.get("cve"), }) print(f"KEV matches: {len(hits)}") for h in hits: print(f"- {h['asset_id']} {h['product']} => {h['cveID']}")
3) The 7 Powerful Fixes (48-Hour Hardening Sprint)
Use these steps for Digiever DS-2105 Pro CVE-2023-52163, then keep them as a repeatable playbook for any NVR vulnerability.
Fix 1 — Find Every NVR (Inventory + Discovery)
Start with “IoT CMDB lite”: devices, owners, location, firmware, access path, patch dates.
asset_id,hostname,ip,mac,vendor,product,firmware,location,owner,criticality,remote_access,notes,last_patch_date,kev_hit iot-001,nvr-frontdesk,10.30.10.10,AA:BB:CC:DD:EE:FF,Digiever,DS-2105 Pro,3.1.0.71-11,Front Desk,Facilities,High,None,"On VLAN 30",2025-12-01,yes
Discovery scan (authorized only):
nmap -sS -sV -Pn --open -p 22,23,80,443,554,8000,8080,8443,8899 10.30.0.0/16 -oA cctv_discovery
Fix 2 — Remove Inbound WAN Exposure (Port Forwards = Compromise)
Fastest risk reduction: delete port forwards, disable remote management, block inbound WAN to CCTV subnet.
Linux nftables (example pattern):
nft add table inet filter nft 'add chain inet filter input { type filter hook input priority 0; policy drop; }' nft 'add rule inet filter input ct state established,related accept' nft 'add rule inet filter input iifname "lo" accept' nft 'add rule inet filter input ip saddr 10.10.0.0/16 accept' # Admin VPN
MikroTik (drop inbound to CCTV VLAN + remove NAT forwards):
/ip firewall filter add chain=input connection-state=established,related action=accept add chain=input src-address=10.10.0.0/16 action=accept comment="Admin VPN/jump subnet" add chain=input in-interface=WAN dst-address=10.30.0.0/16 action=drop comment="Block WAN to CCTV" /ip firewall nat # Remove any dst-nat rules that forward ports to 10.30.0.0/16
Ubiquiti EdgeOS (example):
configure delete service nat rule 100 # remove a port forward rule set firewall name WAN_LOCAL default-action drop set firewall name WAN_LOCAL rule 10 action accept set firewall name WAN_LOCAL rule 10 state established enable set firewall name WAN_LOCAL rule 10 state related enable set firewall name WAN_LOCAL rule 50 action drop set firewall name WAN_LOCAL rule 50 destination address 10.30.0.0/16 commit; save; exit
Fix 3 — Disable UPnP (Stop Ports From Reopening)
UPnP is how routers silently expose NVR admin panels.
MikroTik:
/ip upnp set enabled=no
OpenWrt:
uci set upnpd.config.enabled='0' uci commit upnpd /etc/init.d/miniupnpd stop /etc/init.d/miniupnpd disable
Fix 4 — Isolate NVRs on a CCTV VLAN (Segmentation You Can Prove)
Dedicated VLAN prevents pivoting into business systems and creates clean audit evidence.
Cisco IOS (VLAN 30 example):
conf t vlan 30 name CCTV_NVR interface range gi1/0/10-12 switchport mode access switchport access vlan 30 spanning-tree portfast end wr mem
Default-deny egress (allow only what’s needed):
nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.30.0.53 udp dport 53 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.30.0.53 tcp dport 53 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 udp dport 123 accept nft add rule inet filter forward ip saddr 10.30.0.0/16 ip daddr 10.20.5.25 tcp dport 443 accept # viewing station nft add rule inet filter forward ip saddr 10.30.0.0/16 oifname "WAN" drop
Fix 5 — Lock Down Admin Access (Accounts, MFA, Safe Remote Viewing)
Even after patching, assume attackers probe exposed admin paths.
Remove/rename default admin accounts; eliminate shared installer creds
Unique long passwords in a password manager
Admin UI only from admin VLAN/VPN (never WAN)
Remote viewing via VPN/jump host (no port forwarding)
Enable NTP/time sync for usable logs
Internal-only allowlist reverse proxy pattern:
server { listen 443 ssl; server_name nvr-admin.local; allow 10.10.0.0/16; # Admin VPN allow 192.168.50.0/24; # Jump host subnet deny all; location / { proxy_pass http://10.30.10.10; proxy_set_header Host $host; } }
Fix 6 — Patch Fast (KEV Emergency SLA) + Compensating Controls
For KEV-listed issues like CVE-2023-52163, use an emergency SLA (48 hours), even if normal IoT patching is monthly. If patching is blocked (EOL, vendor delay), apply compensating controls until replacement.
Patch SLA tracker:
# patch_sla.py import csv from datetime import datetime, timedelta EMERGENCY_DAYS = 2 MONTHLY_DAYS = 30 def parse(d): return datetime.strptime(d, "%Y-%m-%d") today = datetime.utcnow().date() with open("iot_inventory.csv", newline="", encoding="utf-8") as f: for r in csv.DictReader(f): last_patch = r.get("last_patch_date") or "1970-01-01" sla = EMERGENCY_DAYS if (r.get("kev_hit","").lower() == "yes") else MONTHLY_DAYS due = parse(last_patch).date() + timedelta(days=sla) if today > due: print(f"[OVERDUE] {r.get('asset_id')} {r.get('product')} due={due} owner={r.get('owner')}")
Virtual patch example (block risky path while patching):
location ~* /time_tzsetup\.cgi { return 403; }
Fix 7 — Detection on a Budget (Beacons, DNS Spikes, Unusual Destinations)
You don’t need a full SOC—just a few high-signal checks.
Minimum viable logging
Firewall logs for CCTV VLAN egress (at least denies)
DNS logs (queries from CCTV VLAN devices)
DHCP leases (MAC-to-IP history)
Syslog from NVR (auth/config changes/reboots), if supported
Suricata-style alert (example):
alert ip 10.30.0.0/16 any -> any ![53,80,123,443] (msg:"CCTV unusual egress port"; sid:1003001; rev:1;)
DNS spike watch:
# dns_spike_watch.py from collections import Counter import re LOG = "dns.log" CCTV_SUBNET_PREFIX = "10.30." pattern = re.compile(r"(\d+\.\d+\.\d+\.\d+)\s+query\s+(\S+)") counts = Counter() with open(LOG, encoding="utf-8", errors="ignore") as f: for line in f: m = pattern.search(line) if not m: continue ip, domain = m.group(1), m.group(2).lower().strip(".") if ip.startswith(CCTV_SUBNET_PREFIX): counts[(ip, domain)] += 1 for (ip, domain), n in counts.most_common(25): if n >= 50: print(f"[DNS SPIKE] {ip} -> {domain}: {n}")
4) Free Security tool Screenshots (Trust + Conversions)
Free Website Vulnerability Scanner tool by Pentest Testing Corp
Sample report from the tool to check Website Vulnerability
5) Compliance Angle: Turn Controls Into Audit Evidence
Even without formal certification, these artifacts help with customer questionnaires, cyber insurance, and incident response.
Evidence pack (copy/paste):
/evidence/iot-nvr-hardening/ 01_inventory/iot_inventory.csv 02_network/segmentation_diagram.png 03_firewall/cctv_vlan_rules_export.txt 04_patching/firmware_versions_before_after.csv 05_validation/external_port_scan_before_after.txt 06_monitoring/dns_spike_alerts_screenshots/ 07_change_control/change_record.yaml
Hash manifest:
find evidence -type f -print0 | xargs -0 sha256sum > evidence_hashes.sha256
6) When to Bring Experts (and What to Scope)
Bring in a scoped assessment when:
You can’t confidently remove WAN exposure
Segmentation is messy / breaks operations
You suspect compromise already
You need audit-grade validation
Practical scope: validate remote-access paths, test segmentation boundaries, review firewall rules, and simulate pivot attempts from CCTV VLAN into business systems.
Where Pentest Testing Corp Helps (Internal Links Only)
If you need an audit-friendly plan to reduce IoT and network risk, start at:
https://www.pentesttesting.com/
For formal gap mapping and prioritization:
Risk Assessment Services: https://www.pentesttesting.com/risk-assessment-services/
Remediation Services: https://www.pentesttesting.com/remediation-services/
Relevant testing services for edge/IoT exposure:
Internal Network Penetration Testing: https://www.pentesttesting.com/internal-network-pentest-testing/
External Network Penetration Testing: https://www.pentesttesting.com/external-network-pentest-testing/
Managed IT Services: https://www.pentesttesting.com/managed-it-services/
Related reading (recent):
https://www.pentesttesting.com/misconfigured-edge-devices-hardening-sprint/
https://www.pentesttesting.com/cisa-kev-remediation-sprint-in-30-days/
https://www.pentesttesting.com/sierra-wireless-airlink-aleos-vulnerability/
Run a quick exposure sweep with our free tools: https://free.pentesttesting.com/ Then isolate your CCTV/NVR fleet, patch KEV hits, and prove the fix.
17 Essential Steps to Fortify Your AI Application
Master AI security with these 17 essential steps! #AISecurity #DataProtection #CyberSecurity
In today’s digital landscape, securing AI applications is crucial for maintaining trust and ensuring data integrity. Here’s a comprehensive guide to the 17 essential steps for fortifying your AI application. 1. Encrypt Data Ensure that all data, both in transit and at rest, is encrypted. Use industry-standard encryption protocols like AES (Advanced Encryption Standard) for data at rest and TLS…
View On WordPress
Alberta Wildfire Updates & Information
Experts In Disaster Response Communications
JOIN NOW - http://bit.ly/ABwildfires #ABfires #ABfire #ABwildfires #ABwildfire #WildfireSafety #WildfireSeason #Wildfires #VOST #WildfireInfo #WildfireStatus #EmergancyManagement #AEMA #abgov #ableg
When you leave your Friday afternoon "standup" (that always turned into a full-on meeting and PagerDuty goes off 5 seconds later... There are probably more than a few things you wish you knew but most of all you want to know who you to go to for solution-critical information. If only you had... OpenContext.
What Are The Top Cybersecurity Challenges?
Cybersecurity is constantly challenged by cyberpunks, data loss, privacy, threat, and changing cyber security methods. The variety of cyberattacks is not anticipated to decrease in the future. Moreover, increased access factors for attacks, such as the arrival of the internet of things, boost the requirement to protect tools and networks. Among the most problematic elements of cybersecurity is the evolving nature of security risks. As new modern technologies arise, and as innovation is used in new or various ways, new avenues are developed. Keeping up with these frequent adjustments and advances in attacks, and updating techniques to protect against them, can be challenging. Concerns include making certain all elements of cybersecurity are upgraded to secure against potential vulnerabilities. In addition, organizations can collect a lot of potential information on people who use one or more of their services. With more information being collected, the chance of a cybercriminal who desires to swipe personally recognizable info is another concern. Cybersecurity programs need to also address end-user education and learning, as workers might accidentally bring viruses right into the workplace on their laptops or mobile phones.
How is automation used in cybersecurity? Automation has become an integral component to keep companies secured from the growing number and refinement of cyberthreats. With compliance to the use of the expert system and artificial intelligence in areas with high-volume data streams can assist boost cybersecurity in three main categories: Threat Detection- AI platforms can assess data and identify known threats, along with anticipating unique threats. Risk reaction- AI platforms also create and immediately pass protection protections. Human augmentation- Safety pros are often overwhelmed with signals and repeated jobs. AI can help remove sharp fatigue by instantly triaging low-risk alarms and automating big data analysis and other repeated tasks, releasing people for more sophisticated jobs. Cybersecurity providers and devices Providers in the cybersecurity area usually offer a variety of safety products or services and also use the incident response approach. Typical protection tools and systems include: Identification and access to monitoring Firewall software Endpoint protection Anti malware Intrusion prevention/detection systems (IPS/IDS) Endpoint detection and response What are the professional chances in cybersecurity?
As the cyber threat landscape continues to grow and new threats arise. People are required with cybersecurity understanding and software and hardware skills. The chief info security officer (CISO) is the person that carries out the safety program across the organization and looks after the IT security department's operations. The Chief security organization (CSO) is the executive responsible for the physical and/or cybersecurity of a company. Security engineers protect firm assets from threats with a focus on quality control inside the IT infrastructure. Penetration testers are ethical hackers that check the safety of networks, applications, and systems, seeking susceptibilities that could be manipulated by harmful actors.
· 2020/06/26 ·
Incident Response & Threat Hunting notes. Computer Science and Information Security has so many super interesting fields to offer 💛
How to handle an outage
I got some questions on Twitter about npm's incident response process, so here I am blogging yet again. I looked up our internal docs on the topic, and was surprised to notice how terse they are.
Here's the "how to handle an outage" document that's in our operations repo:
How to handle an outage
Take a deep breath. I know we joke that things are on fire, but they're not literally on fire. People can't install javascript packages. We'll fix it. It'll be okay.
The person on PagerDuty should assume point & hande initial investigations.
The point person should make sure that the following two roles are filled: operations, which acts to resolve the outage, and communications, which shares information about the outage to the public & the rest of the company. Escalate operations to a subject matter expert if you aren't qualified to fix the problem yourself, and assume the communications role. If you are the expert, pick somebody else as communicator. (Don't try to do both during a serious outage. It's too stressful.)
In very serious outages or security incidents, there might be a third role, that of coordinator who decides what actions to take next. If you move the discussion from #ops to #incident-response, it's probably serious enough to warrant that third role. Also, if more than one person is acting in operations to fix things, choose a coordinator to avoid collisions or conflicting efforts.
If the outage is visible to users in any way, the communicator should open a statuspage.io incident immediately. Do this even if we don't know anything yet. An open incident gives Support a place to point people for more information.
The communicator should keep the incident updated as we learn more: use the "identified", "monitoring", and "resolved" statuses to let people outside know what to expect.
People who aren't actively involved in the incident should ask their questions of the communicator, not the operations person.
The operations person or people should keep the Slack channel updated with new information as they can.
Serious incidents usually warrant postmortem discussions to figure out how improve our response next time as well as to note what we did well.
That's it
It's just enough to guide the team to doing three things:
clarify who has initial responsibility
assign further roles so we can coordinate
write a status incident so our users know what's happening
In addition, when the outage is more than a trivial one-- e.g., AWS is down or a single point of failure has failed and cannot be restored easily--we make our response more formal. We move all communication to one place, a Slack channel set aside for incident response. In that channel, communications are more stylized. We acknowledge requests and responses, and I take pains to thank people for actions.
Why do I do this? To slow things down.
Yes, I literally slow incident response down. Usually people are stressed during incidents and they're doing things in a rushed way, because they feel the urgency of the problem. Pausing to breathe and think carefully results in better decision-making, and overall faster resolution to the incident. I also think being extra-polite in sticky situations helps us as humans cope with stress. Our users might be yelling at us, but we're not yelling at each other. Instead, we're a kind and thoughtful team, and that's being modeled by the person with the CTO title.
I also think acking communication is a good way to make sure nothing gets lost. SYN/SYN-ACK/ACK is a way of life, you know?
Postmortems follow outages
The less grim word for this is "retrospective", but I seem to be stuck on the autopsy language. This is an important step for any incident or project. Some guidelines we follow:
The postmortem must happen after things have concluded and everyone is calm again.
Focus must be on processes not people. This is what "blameless postmortem" means for us.
Sometimes people become aware during incident response that they've made mistakes or taken down production with some action. I go out of my way to make it clear that this is our collective fault. Our processes let us down by not catching the problem before it could go live. If it's got to be any one person's fault, it's mine for not putting a better safety net in place before it could happen.
"Process" is a scary word that feels heavyweight, but what it really means is "the way you normally do things". You always have process; the question is whether your process is intentionally designed or not. You can and should change your processes when you find better ways to do things. Your processes are there to help you, not to be something you serve mindlessly.
Process is a safety net. Process is what allows us fallible humans to work and make mistakes without regularly blowing things up. It's a safety latch on a gate, a pre-launch checklist, your belayer checking your harness before you start climbing the cliff.
Some examples of processes you might have:
Pull requests are reviewed by at least one other engineer before they're landed.
Deploys get tested in a staging environment before they go to production.
Deploys get tested on a canary with a portion of production traffic before they roll out fully.
Libraries must have 90% (or 100% or something else) code coverage from unit tests.
In our retrospectives, we look at our processes and where they helped us and where they let us down. Did we follow them? If not, why not? What can we change so we can avoid this category of problem next time? What can we change so we can recover even faster from an event that's out of our control?
It's most fascinating to me when we have processes that we ignore. There's always a good reason. Sometimes it's that the process is a pain to follow, or not obviously helpful.
My general maxim is that the easy thing to do should be the right thing. Yes, the sentence is ordered that way. In a pinch we'll always go with the easiest thing to do, so we better prepare hard so when that moment comes, the easy thing is a good thing and not a trap. This can take a lot of planning and hard work to set up, but the trick is that you're doing that hard work when it's not stressful, when you're at your leisure to do it right. Danger operations used to have a saying: "maximize net slack". This means you work hard right now so you can put your feet up on your desk & drink a fancy drink with an umbrella in it later. I believe in this strategy.
The CTO's retro of the incident
We kinda hashed up internal communications during this incident. We did something new in this response, something we couldn't do before: most of the engineers involved in the response got into a Zoom video chat to share screens and discuss the problem. This was great for everybody in the video meeting, but was a comms black hole for everybody not in the meeting. We needed to do a better job of disentangling the person doing comms from any responsibility for debugging, so comms becomes their only job during incidents. I'll probably write something up about that. (If indeed this blog post by itself isn't enough! It might be.)
The npm team did a fantastic job of coming together and working without drama on the problem. I was in a 4-hour meeting that could not be interrupted so my participation was limited to initial escalation and kicking off the incident response process. My participation wasn't necessary, which was perfect. The retro meeting was huge because of how many people contributed meaningfully to the recovery, even the very newest members of the team. It was a good response to a bad event, and I was thrilled to watch it happen.
Making myself unnecessary is a victory.