A group of hackers who offered the source code for a popular intrusion detection program for sale earlier this year say they have added a new product to their lineup: the source code for Cisco's PIX firewall software.

The Source Code Club made its debut in July with the first issue of its "newsletter", posted on the Full Disclosure mailing list, offering source code for Enterasys Dragon Intrusion Detection System and Napster. The second posting appeared on Monday on the alt.gap.international.sales Usenet newsgroup and adds the Cisco PIX 6.3.1 source code, offered for $24,000, as well as raising the prices for Dragon IDS and Napster.

"SCC is proud to announce the general availability of Cisco PIX 6.3.1 source
code," said the message, from a user calling himself Larry Hobbles. "This release is significant because PIX is vital to the security of many ultra-secure networks."

Cisco PIX is one of the most commonly deployed corporate firewalls. Version 6.3(1) was first released in March 2003. The current version of the PIX firewall software is 6.3(4), which was released in July.

Cisco confirmed that it was aware of the SCC's actions but was not immediately available for further comment.

The group posted a listing of files allegedly included in the source code package as a way of verifying that the code is genuine. The group used the same tactic when seeking buyers for the Dragon IDS 6.1 source, and at that time Enterasys said the file names appeared accurate.

The appearance of stolen source code could raise questions about the security of Cisco's software. Source code for proprietary software is normally kept secret, and it is easier for potential attackers to find weak spots in software by examining source rather than the binaries derived from it.

However, the hacker group portrayed its offer as a chance for businesses and governments to test Cisco's security by examining the source code for themselves. The group promised to provide build scripts enabling buyers to compile functioning firmware for PIX devices from the source code, thus ensuring that there is no hidden code in the finished product.

While the group was forced to shut down its Web site, as it did in July, it says it is doing business via Usenet and email. Communications are kept anonymous by the use of PGP keys, and financial transfers are handled through an e-gold.com account.

The group says it is offering the Cisco code in 20 separate chunks for $1,200 apiece, for those who want to verify its authenticity without paying full price. The price for Dragon IDS has been raised to $19,200 and the price for Napster has been raised to $12,000.

Despite dealing in software contraband, the SCC presents itself as a legitimate business. "SCC is a clandestine business created to provide intel for our customers," said "Larry Hobbles" in an email interview with Techworld in July. "Our team consists of many of the top security specialists in the world."

At the time, Hobbles said the group planned to offer a few source code packages publicly in order to raise customer interest, and after that would switch to stealing code on commission. "We do not wish to publicly offer more than a few other source code packages, but this will depend on how business is," Hobbles said. "Our business will mainly focus on requests from our customers."

In May attackers broke into Cisco's corporate network and made off with some 800MB of Cisco's IOS 12.3 and 12.3t router operating system software.