What's next?

What's left?

Let me guess -> you code a "hello world" program, and someone finds a
way to exploit it?

According to comments posted to comp.protocols.time.ntp, it may very
well be the case that "disabling crypto in ntp.conf should avoid the 
main vulnerabilities".  

And why you need to have a crypto layer when performing a time-check is
completely nuts.

Another example of -> If it Works, its not Complicated enough.  (which
is also Micro$oft's motto).

======================

Attack code exploiting critical bugs in net time sync puts servers at
risk

Updates available for remote code-execution vulnerabilities. Patch now!

Dec 20, 2014

Several critical vulnerabilities in the protocol implementation used to
synchronize clock settings over the Internet are putting countless
servers at risk of remote hijacks until they install a security patch,
an advisory issued by the federal government warned.

The remote-code execution bugs reside in versions of the network time
protocol prior to 4.2.8, according to an advisory issued Friday by the
Industrial Control Systems Cyber Emergency Response Team. In many cases,
the vulnerabilities can be exploited remotely by hackers with only a low
level of skill.

"Exploitation of these vulnerabilities could allow an attacker to
execute arbitrary code with the privileges of the [network time protocol
daemon] process," the advisory warned. Exploit code that targets the
vulnerabilities is publicly available. It's not clear exactly what
privileges NTP processes get on the typical server, but a handful of
knowledgeable people said they believed it usually involved unfettered
root access. Even if the rights are limited, it's not uncommon for
hackers to combine exploits with privilege elevation attacks, which
increase the system resources a targeted app has the ability to control.

====================
Further Reading

DoS attacks that took down big game sites abused Web's time-sync
protocol
http://arstechnica.com/security/2014/01/dos-attacks-that-took-down-big-game-sit
es-abused-webs-time-synch-protocol/

Never-before-seen technique abused the Network Time Protocol to worsen
effects.
====================

In January, researchers uncovered evidence NTP was being exploited to
wage crippling denial-of-service attacks on gaming sites.  Attackers
were using the widely used service to amplify the amount of bandwidth
available to them, a technique that saturated targets with as much as
100 gigabits of data per second.

The bugs were discovered by Google Security Team researchers Neel Mehta
and Stephen Roettger, who reported them privately. The vulnerabilities
have been fixed in version 4.2.8. Maintainers of the open-source NTP
code have bare-bones details on the bugs here:

http://support.ntp.org/bin/view/Main/SecurityNotice

Additional details, including about separate information disclosure
vulnerabilities caused by a weak default key and non-cryptographic
random number generator in NTP, are here:

http://www.kb.cert.org/vuls/id/852879

--------------------------------

http://arstechnica.com/security/2014/12/attack-code-exploiting-critical-bugs-in
-net-time-sync-puts-servers-at-risk
--- NewsGate v1.0 gamma 2