The CyberWire Daily Briefing 06.07.13

Cyber Trends

Democracy, autocracy, or people's republic: your information is fair game for everyone (Quartz) A headline in this morning's Financial Times informed us that "UK fears grow over China's potential to eavesdrop," in reference to yesterday's release of a British intelligence committee report into the security risk posed by Huawei, the giant Chinese telecoms firm that is now deeply embedded in Britain's telecoms infrastructure. China is a great bogeyman. Surely those of us who live in modern democracies could never trust those secretive communists who spy on their own people and censor candle emoticons. But what China does quite openly, Western governments do through secret yet "entirely legal" programs, as recent bombshells about surveillance by the US National Security Agency have shown. And it isn't just America that is unable to resist snooping. Everyone is at it

Secrecy hampers battle for web (Financial Times) There is an economy you will not find measured in the pages of the FT. It is a place where goods are traded and alliances formed. Margins are high and business is good - there is no tax, no regulation, no crisis nor recession. Growth is assured. It is here that cyber criminals, terrorists and even some governments ply their trade. It is a marketplace where anything from credit card details to an attack on critical infrastructure can be bought and sold

It's not just the US--most countries are spying more on their citizens these days (Quartz) The revelation that the US National Security Agency seems to be collecting the phone records of millions of Verizon customers is shocking, but it's actually part of a growing trend in which governments worldwide are relying on widespread, unrestricted surveillance in the name of national security

Help Needed Desperately For Device Management Says Research (ChannelBiz) A Check Point commissioned report shows companies struggling with mobile device issues

FireEye Announces Australian Cybersecurity Findings (PRWire) FireEye®, Inc., the leader in stopping today's new breed of cyber attacks, has announced findings from a comprehensive survey of the state of Australia's cybersecurity as seen by executives and technical staff across a range of organisations

Most small businesses can't restore all data after a cyber attack (Help Net Security) Almost one-third of U.S. small businesses surveyed by the Ponemon Institute had a cyber attack in the previous year, and nearly three-quarters of those businesses were not able to fully restore their

Publishing the Secunia Country Reports with the State of Private PC Security in the Benelux (NewsWireToday) Secunia, a leading provider of IT security solutions that enable businesses and private individuals to manage and control vulnerability threats, today published the Secunia Country Report for the Netherlands, Belgium and Luxembourg

Legislation, Policy and Regulation

China's Huawei and the UK's critical national infrastructure (InfoSecurity) The UK's Intelligence and Security Committee has published a report, not on whether Huawei should be allowed to supply the critical national infrastructure, but how it was allowed to do so in contracts dating back to 2005

What other countries can learn from Britain's experience with China's Huawei (Quartz) Britain finds itself in an uncomfortable position: It doesn't like the fact that Huawei, a large Chinese firm that manufactures telecoms equipment, is deeply embedded in what Britain calls its "critical national infrastructure," which includes energy supply pipelines, transportation infrastructure, water supplies, and telecommunications networks. But there is nothing it can do

EU net neutrality plan coming (FierceGovIT) European Union Digital Agenda Commissioner Neelie Kroes announced that she will soon introduce proposals to the EU College of Commissioners that will prevent Internet service providers in Europe from blocking customers' access to competitors' services

Sweep of digital wiretapping too broad, says human rights report (FierceGovIT) United Nations special rapporteur on free expression Frank La Rue in an unusual report says that governments must update their communications surveillance legal regimes in light of technology that enables states to conduct "simultaneous, invasive, targeted and broad-scale surveillance" to a degree greater than ever before

Task force calls for stronger U.S. international engagement on cyber issues (FierceGovIT) A task force sponsored by the Council on Foreign Relations calls on the United States to build an alliance for cybersecurity with like-minded actors. The task force - charged with making recommendations for the defense of an open global Internet and co-chaired by John Negroponte, a former diplomat and director of national intelligence, and Samuel Palmisano, the former chief executive officer of IBM - issued June 6 a final report

HASC approves anti-China equipment language in fiscal 2014 NDAA (FierceGovIT) The House Armed Services Committee approved June 6 a national defense authorization act for the coming fiscal year that includes language critics say would likely lead to the exclusion of Chinese-manufactured electronic parts from the defense industrial base, including in unclassified networks

NSA surveillance just gave China's president the perfect come-back line (Quartz) The timing for Barack Obama couldn't be worse. Just as he meets for the first time to forge a new diplomatic relationship with his Chinese counterpart, President Xi Jinping, a series of exposes on the secret surveillance programs of the US National Security Agency has presented a major distraction and eroded America's moral high ground

China Claims "Mountains of Data" Pointing to U.S. Hacking (Security Week) After months of accusations that China was backing extensive cyber-espionage operations against the United States, a top Internet security official in China said it had evidence of U.S. was attacking Chinese targets, too. "We have mountains of data, if we wanted to accuse the U.S., but it's not helpful in solving the problem," said Huang Chengqing, director of the National Computer Network Emergency Response Technical Team/Coordination Center of China, known as CNCERT, told the government-run China Daily newspaper on Wednesday

With troops and techies, U.S. prepares for cyber warfare (Reuters) On the site of a former military golf course where President Dwight Eisenhower once played, the future of U.S. warfare is rising in the shape of the new $358 million headquarters for the military's Cyber Command

US prepares for cyber warfare against China and others (Firstpost) Most of Cyber Command's new troops will focus on defence, detecting and stopping computer penetrations of military and other critical networks by America's adversaries like China, Iran or North Korea. But there is an increasing focus on offense as

Opinion: Threat requires a creative response (Financial Times) And, last month, the US Department of Homeland Security issued an alert to US critical infrastructure companies warning of a heightened risk of a destructive cyber attack. Second, distributed denial of service (DDoS) attacks, have become increasingly

Secret Intelligence Fuels US Hacking Fight With China (Businessweek) That's when a set of key intelligence breakthroughs and devastating attacks, including a breach of Google Inc. (GOOG)'s computers, reshaped the White House view of China's cyber spying. Although public information about the breach at

US to freeze assets of hackers, throw them out of the country (ZDNet) Lawmakers in the U.S. have proposed legislation which will deny hackers entry to the United States and freeze the assets of foreign nationals. The Cyber Economic Espionage Accountability Act was revealed on Thursday, and allows U.S. authorities to "punish criminals backed by China, Russia or other foreign governments for cyberspying and theft"

President Obama Visiting Silicon Valley Tonight, As Reports Of NSA's Tech Spying Come To Light (TechCrunch) President Obama's official schedule indicates that he is currently aboard Air Force One and en route to the San Francisco Bay Area for private events being held tonight with some of Silicon Valley's most elite players. The president's visit comes within hours of massive new revelations about the United States National Security Administration's reported collection of personal user data from

James Clapper Clarifies Remarks Over NSA Snooping (National Journal) Director of National Intelligence James Clapper said Thursday that he stood by what he told Sen. Ron Wyden, D-Ore., in March when he said that the National Security Agency does not "wittingly" collect data on millions of Americans

Lawmakers Defend, Criticize NSA Collection Of Phone Logs (Washington Post) Growing evidence of far-reaching federal surveillance of the phone records and Internet activity of millions of Americans reignited the debate Thursday about how aggressively the federal government uses its surveillance powers to protect against terrorist attacks

Agency Knows Much About Public, But We Know Little About It (Washington Post) Charged primarily with electronic spying around the globe, the NSA collects billions of pieces of intelligence from foreign phone calls, e-mail and other communications. But in the past two days, the focus has shifted to its role in compiling massive amounts of the same information on millions of ordinary Americans

On Spying, A Deficit Of Trust (TechCrunch) After it was revealed that the National Security Administration was collecting phone records of every single U.S. call on the Verizon network, even President Obama's most ardent supporters are losing faith that he would usher in a more transparent government. Loyal Democrat, former Vice President and Internet inventor, Al Gore called the NSA's massive spying program "obscenely

Government Needs Legal Framework to Guide Cyber-Defenders: Former CIA Director (Security Week) The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place

Lawmaker: ACA-mandated data hub a privacy nightmare (FierceHealthIT) A data services hub mandated by the Affordable Care Act that will be used to connect state health insurance exchanges with federal agencies poses a significant threat to privacy and security, one Republican lawmaker said this week

Products, Services, and Solutions

Google-like search comes to Hadoop (FierceBigData) Before one can analyze data, one has to find it. In the large, multisource database known as Hadoop, searching for data has never been as easy as it should be, given the contributions of developers who got their start with giant search engines such as Google's. And while some companies have used publicly available data on the basics of Google (NASDAQ:GOOG) search technology to develop similar engines, according to Wired this week, others are taking bigger steps

Tripwire includes web application scanning with IP360 (Help Net Security) Tripwire announced that dynamic web application scanning is now included in IP360. This critical functionality enables customers to detect and prioritize web application vulnerabilities

Lunarline's School Of Cyber Security Offers New Course (Sacramento Bee) Lunarline, Inc., has launched a new course to provide Assessing Network Vulnerabilities

AhnLab Selects Mailshell Anti-Phishing Engine to Enhance AOS' Web Security (PRWeb) AhnLab becomes the fifth major AV provider within the last year to license Mailshell protection from web-based phishing

PC Advisor Awards 2013: Best Security Software (PC Advisor) Bitdefender Internet Security 2013 is an internet security suite that offers excellent protection and a user-friendly interface. Bitdefender does have some mild scanning-speed issues, but otherwise it's an easy-to-use suite that gives you several nice

Juniper Networks Launches New DDoS Protection Solution for Data Centers (Security Week) Juniper Networks this week announced the availability of Junos DDoS Secure, a new offering designed to protect data centers against increasingly complex Distributed Denial of Service (DDoS) attacks

EventTracker Partners with Namtek (SF Gate) EventTracker, a leading provider of comprehensive SIEM solutions, announced today that Namtek Corp. (Namtek) has joined the Solution Partner Program at the Premier level. Namtek will be a value-added reseller of EventTracker's comprehensive suite of SIEM and log management solutions, which offer security, operational, and regulatory compliance monitoring

Technologies, Techniques, and Standards

100% Compliant (for 65% of the systems) (Internet Storm Center) At a community college where I'm helping out whenever they panic on security issues, I recently was confronted with the odd reality of a lingering malware infection on their network, even though they had deployed a custom anti-virus (AV) pattern ("extra.dat") to eradicate the problem. Of course, these days, reliance on anti-virus is somewhat moot to begin with, our recent tally of fresh samples submitted to VirusTotal had AV lagging behind about 8 days or so. If you caught a keylogger spyware, 8 days is plenty to wreak havoc. I usually compare today's AV to the coroner in CSI, he can probably tell what killed you, but won't keep you alive

Are you resilient to the main causes of cloud outages? (TrendMicro Cloud Security Blog) The Cloud Security Alliance recently released a white paper on cloud computing vulnerability incidents spanning the last five years. They looked at more than 11 thousand news articles regarding cloud computing-related incidents to determine the top reasons behind outages. Did you know 64 percent of the outages can be attributed to one of three causes

How to secure your Facebook profile (TrendMicro Countermeasures Blog) Time passes and Facebook changes, this is a law as immutable as gravity. I have updated my Facebook privacy guide from the 2011 edition to give you a step-by-step walkthrough of every important configuration screen and an explanation of how each important function really works

The Challenges and Benefits of Virtualized Environments for Midsize Businesses: A VMware and Trend Micro Q&A (TrendMicro Cloud Security Blog) According to Gartner, midsize businesses[1] account for nearly 40 percent of U.S. server sales.[2] Unlike large enterprises, these organizations have fewer resources to support the deployment and maintenance of new servers in existing IT environments. With the goal of optimizing their entire IT infrastructure, midsize businesses are turning to virtualization

Rogue employees, malware exploits and unauthorized software (Help Net Security) While IT security professionals recognize the threat posed by unwitting employees, many still admit to allowing administrative privileges to go unmanaged, making organizations increasingly vulnerable

Matching Protection Criteria to the Next Wave of Threats (Security Week) It seems that nearly every five years we're faced with a new cycle of threats - from viruses to worms to spyware and rootkits. Today we find ourselves combatting the latest wave - advanced malware, targeted attacks and advanced persistent threats (APTs). While these threats have demonstrated themselves to be more damaging than any in their wake, technologies are available to deal with them. We just need to select the right ones and apply them correctly

Marketplace

Will users outside the US disconnect their Google, Facebook, Yahoo, AOL, Microsoft and Apple accounts now? (Quartz) If the Guardian and Washington Post are correct, the US government has direct access to the servers of Google, Facebook, Yahoo, AOL, Skype and Apple, and is pulling data from them which is then filtered for "foreignness." It's a program allegedly designed to look for terrorists who are using these services, but because of the nature of the wide net being cast, it's very likely that it's turning up orders of magnitude more false positives than real terrorists

USAF adding more cyberexperts (UPI) At the end of April, Air Forces Cyber, a component of the U.S. Cyber Command, opened a 46,000-square-foot headquarters and operations center for plans and operations capabilities and coordination with integrated personnel from law enforcement, the

NSA Building $860 Million Data Center in Maryland (Data Center Knowledge) The construction at Fort Meade will see investment of $400 million in fiscal 2013 and $431 million in fiscal 2014. Up to 6,000 workers will be involved in the construction and development phase, the NSA said. Scheduled for completion in 2016, the

Sourcefire, Inc. (FIRE), Symantec Corporation (SYMC): Finding Strength in Security (Motley Fool) As society becomes increasingly tied to the cyber world, threats of cyber attacks and the importance of cyber security becomes all the more important. Today, everything vital to our lives takes place in some form online, a trend that is only expected to continue into the future

Larry Prior Named CSC Defense, Intell Group VP and GM (GovConWire) Larry Prior, former chief operating officer at BAE Systems Inc., has joined Computer Sciences Corp. (NYSE: CSC) as vice president and general manager of the defense and intelligence group

Thomas Kirchmaier Named General Dynamics Advanced Information Systems President (GovConWire) Thomas Kirchmaier Thomas Kirchmaier, formerly a senior vice president and general manager at General Dynamics (NYSE: GD), has been promoted to president of the General Dynamics Advanced Information Systems business unit and vice president of the corporation

Security Patches, Mitigations, and Software Updates

Microsoft to release five bulletins next week (Help Net Security) Microsoft released advance notification for next week's Microsoft patch and it looks like we're getting only five bulletins. We received several comments on what we can expect on Tuesday

Cyber Attacks, Threats, and Vulnerabilities

National Security Agency reportedly has total access to servers of nine major tech firms (ITProPortal) Should you think twice about posting that photo to Facebook? According to a new report from The Washington Post, the National Security Agency (NSA) is tapping directly into the servers of nine US Internet firms, including the popular social network

Google, Facebook, Microsoft, others allegedly allow the US government to "watch your ideas form as you type" (Quartz) The Washington Post is reporting that a "horrified" career intelligence office has provided slides detailing a secret US government spying program in which the US National Security Agency (NSA) and the FBI allegedly have direct access to the servers of Microsoft, Yahoo, Google, Facebook, AOL, Skype, YouTube and Apple. (Update: NBC says it has confirmed PRISM's existence with anonymous sources, but "a government official says it is a data collection program rather than a data mining program." Which may be so, though if one collects data, one can always mine it afterwards at one's leisure.) Here are the alleged details, as reported so far by the Post and the Guardian

U.S. Government: Reports About PRISM Contain "Numerous Inaccuracies" (TechCrunch) After the flurry of reports about the NSA's alleged PRISM surveillance program earlier today, the U.S.'s Director of National Intelligence James R. Clapper just released an official statement. According to Clapper, "The Guardian and The Washington Post articles refer to a collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous

Google, Facebook, Dropbox, Yahoo, Microsoft And Apple Deny Participation In NSA PRISM Surveillance Program (TechCrunch) The Washington Post today reported that Google, Apple, Facebook, Dropbox, Microsoft, Paltalk, AOL (TechCrunch's parent company) and Yahoo participated in the so-called PRISM program which provided the NSA with what looks like virtually direct access to their servers and their users' data. We have now reached out to all of these companies and so far, Facebook, Google and Apple have denied that they

Apple to Yahoo Deny Providing Direct Access to Spy Agency (Bloomberg) U.S. technology providers from Apple Inc. (AAPL) to Yahoo! Inc. (YHOO) said they don't give the U.S. government direct access to their systems, responding to newspaper reports of a top-secret electronic surveillance program

Twitter boosts its privacy cred with its absence from the NSA's surveillance program (Quartz) The list of technology companies allegedly participating in a vast US government surveillance program known as PRISM, which was just reported by the Washington Post and Guardian, is notable for one name that's not on it: Twitter

U.S. Says It Gathers Online Data Abroad (New York Times) The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation's largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night

PRISM is bigger than anything that came before it--but no-one knows how much bigger (Quartz) The mystery surrounding how much domestic spying the US government has been conducting on its own citizens will only intensify in the coming days, as a growing number of the nine major internet companies linked to an alleged top-secret data-mining program deny they had anything to do with it

NSA 'top secret' spying order affects millions of Americans: FAQ (ZDNet) The U.S. government is vacuuming up millions of Verizon customer records on a daily basis, according to a leaked "top secret" court order. Here's everything you need to know. The Guardian newspaper revealed exclusively on Wednesday that the U.S. National Security Agency (NSA) has and continues to vacuum up millions of Verizon customer details, including information on phone calls both within the U.S. and between the U.S. and other countries

How total could US government surveillance be? (Quartz) Amid revelations (confirmed) that the US National Security Agency has been collecting basic data on most of the phone calls made in the US, and new claims (so far strenuously denied) that it can directly pull users' information from most of the biggest online firms, one inevitably wonders what else it might be monitoring

Panopticon at Fort Meade (National Review) Late Wednesday night, the website of the British broadsheet The Guardian broke the news that the National Security Agency (NSA) has been monitoring the phone activity of millions of Verizon cell-phone customers. Under a warrant approved by a Foreign

The NSA whistleblower who guessed exactly what was going on, six months ago (Quartz) Last December in an interview with Russia Today (video above), former NSA crypto-mathematician William Binney disclosed the extent to which he believed the US government was not only capable of, but actively engages in spying on internet data and web activity across the country. Binney said that the FBI has access to the emails of everyone in the US, holds a target list and monitors every email to and from those contained on the list

Always Outmanned, Always Outgunned (Threatpost) We were warned. Over and over again. Not just by privacy advocates and by security experts and by civil liberties organizations and by the guy on the corner in the tin foil hat shouting about the government intercepting his brain waves. We were warned by some of the very people charged with overseeing the administration's efforts to expand its domestic intelligence gathering capabilities. We were warned by politicians

The NetTraveler (AKA 'TravNet') (Securelist) This report describes multiple cyber-espionage campaigns that have successfully compromised more than 350 high profile victims in 40 countries. The focus of the paper is to describe NetTraveler, which is the main tool used by the threat actors during these attacks

#OpTurkey: Anonymous Hacks Fox Entertainment Turkey & Vodasoft, Leaks account (Hack Read) Just an hour ago a well known Anonymous hacker going with the handle of @AnonsTurkey on Twitter has hacked into the official websites of Fox Entertainment Turkey (fox.com.tr) and a Turkish based call center VodaSoft (vodasoft.com.tr). @AnonsTurkey who is very active these days for #OpTurkey, managed to breach the servers of both websites, ending up with leaking confidential information

Supposed zero-day exploit for Plesk (The H) The hacker known as KingCope has taken to the security mailing list Full Disclosure to publish what seems to be a zero-day exploit for Plesk, the hosting software package made by Parallels. KingCope says that the exploit uses specially prepared HTTP

Plesk 0-day: Real or not? (Internet Storm Center) Yesterday, a poster to the full disclosure mailing list described a possible new 0-day vulnerability against Plesk. Contributing to the vulnerability is a very odd configuration choice to expose "/usr/bin" via a ScriptAlias, making executables inside the directory reachable via URLs

Microsoft Cyber-Fraud Sting Reveals Resistant Malware Strain (American Banker) An analysis of Microsoft's (MSFT) takedown of a cyber fraud ring that stole hundreds of millions of dollars from bank accounts brings to light the growing sophistication of malware and keylogger makers, who mostly manage to stay a step ahead of antivirus software designers and corporate security officers

Zeus Bank Malware Surges On Facebook (InformationWeek) Old threat makes a comeback, targeting Facebook users' bank credentials and more

The most sophisticated Android Trojan (SecureList) Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated

DoS-in Your Database (Dark Reading) When I started writing SQL, I was never worried about security; I was worried that I would write a bad query that would crash the database. And it was really easy to write SQL that would consume 100 percent of the CPU power or cause disk drives to bottleneck. Queries with outer-joins, cartesian products, and complex comparison operations coupled with full tables scans could pretty much kill any database

Smart TVs vulnerable to a host of attacks (Help Net Security) Smart (connected) TVs are becoming a common fixture in Western world homes, and most users consider it a handy tool and an improvement over the basic television sets of yesterday. But most of them are

Sale of state databases puts patient info at risk (FierceHealthIT) Hospital data compiled by states and sold to researchers, marketers and others could be used to identify patients when combined with other publicly available information, according to a recently published investigation by Bloomberg. The year-long investigation found that public health databases can be paired with news stories and other information to identify patients

Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale (Webroot Threat Blog) Aiming to capitalize on the multi-billion gaming market, cybercriminals actively data mine their botnets for accounting credentials, not just for popular gaming platforms, but also the actual activation keys for some of the most popular games on the market

Fake Mt. Gox pages aim to infect Bitcoin users (Help Net Security) Mt. Gox is the the largest Bitcoin exchange in the world, and as such it and its users are being repeatedly targeted by attackers. Some two months ago, it battled a massive DDoS attack that was

U.S. Veterans Affairs Dept. repeatedly targeted by foreign hackers (Help Net Security) Conflicting claims were heard at Tuesday's hearing of the House Veterans' Affairs oversight and investigations subcommittee, leaving open the question on whether the Veterans Affairs Department has

UMass Amherst Admits Security Breach (eSecurity Planet) 1,670 patients' protected health information may have been accessed

Cyber attack strikes Raley's grocery chain (SFBay) A major Northern California grocery store chain is urging customers to check their credit card and bank statements after the chain's computers appeared to have been hit in a cyber attack. Officials at Raley's said Thursday a portion of the grocer's

Academia

New schools competition launched by Cyber Security Challenge UK (InfoSecurity) With Brian Higgins, formerly of the Serious Organized Crime Agency (SOCA) as the first Schools Programme Manager, Cyber Security Challenge UK, the Cabinet Office and industry sponsors have joined forces to bring code breaking into schools

Brown University CISO on education, BYOD and emerging threats (Help Net Security) David Sherry is the CISO at Brown University. He leads the Information Security Group, charged with the development and maintenance of Brown's information security strategy, information security policy

3 Keys To Gamification For Education (InformationWeek) Gamification is hot, but many attempts at educational games fall flat. Designers, parents and teachers should keep these three success factors in mind

EdX Goes Open Source To Woo MOOC Developers (InformationWeek) Will edX's decision to release its full source code attract more contributors to the Harvard/MIT-backed massive open online course platform

Litigation, Investigation, and Enforcement

Verizon, others have no choice but to hand over customer data (CSO) Any company receiving a government order for data like mobile phone records must comply to gain immunity from prosecution

The Secret Law Behind NSA's Verizon Snooping (Bloomberg) How, exactly, could the government to order a Verizon division to provide records of all calls -- that's right, all -- to or from the U.S. on an ongoing basis? The answer is secrecy -- but not just in the way you think. It's not only that the highly classified request was made to and approved by a highly classified court. But the legal interpretation of the 2001 Patriot Act that the court appears to have used was itself classified. In other words, there was no way for the public to know what the courts believed the law to mean. And that reality runs counter to the most basic principles of democracy and the rule of law

Who should pay when big data incites panic? (FierceBigData) Falsely shouting "fire" in a crowded movie theater is not just a matter of the limits of free speech, it is a matter of public safety. In some states, Ohio for example, inducing panic is a second degree felony punishable by two to eight years in prison and a $20,000 fine

Design and Innovation

A brief history of the US government's awful graphic design (Quartz) The revelation that major US technology companies are participating in a National Security Administration surveillance program was shocking enough. And that was before we saw the top-secret slides used by the government to describe the spying operation. They are, to put it mildly, heinously ugly