A hacker group claiming to have stolen source code from many Fortune 100 software companies says it is attempting to drum up business by offering the complete source of a leading security system, at a price of $16,000.
The operation, calling itself the Source Code Club (SCC), annouced its existence with an email to the Full Disclosure security mailing list on Monday, offering the source code and design documents for Enterasys Networks' Dragon IDS (Intrusion Detection System) and the Napster client and server. The e-mail directed customers to a bare-bones Web site registered with a Ukrainian hosting provider.
"The Source Code Club is now open for business," said the email, sent by a user identified as Larry Hobbles using a South African-registered address. "SCC is a business focused on delivering corporate intel to our customers."
[Update: As of 2.30pm Thu 15 July, the site has shut down, with this message on its homepage: "Thank you for your interest in SCC. We regret to inform that SCC has temporarily suspended operations. Our business model is currently being re-designed to alleviate some of the initial fears our customers faced. Selling corporate secrets is a very tricky, and we believe it is an area that we can conquer. Look for us in the near future as we re-emerge to bring you all kinds of secrets. Sincerely, SCC Team."]
According to an Enterasys spokesman, the company is well aware of the existence of SCC and is working with the authorities in investigating the situation. He said that "Enterasys is investigating the alleged theft of what may be a portion of source code of an older version of our Dragon IDS software. We dont expect complications from this situation, as we have made significant modifications to the product since the 6.1 version. To further protect their networks, customers running the older Dragon 6.1 version can go to www.dragon.enterasys.com to download the version 6.3 upgrade. Customer service is available to assist as needed with the upgrade process. "
He stressed that the there was no evidence that the Enterasys network had been breached. "Our continuing investigation indicates that any possible misappropriation of the code would have been linked to a physical theft of media and not a breach of our network. We base this conclusion on our review of the file structure on the Web site purporting to possess the code and our ongoing forensic analysis of our systems to ensure they have not been compromised. There is no indication that such a breach occurred. "
For proprietary software companies, source code is a closely-guarded secret, revealing how the software is constructed and making it easier for researchers to spot security holes. Unlike binaries, or executable software, source code is hand-written usually well-documented and designed to be read by humans. After a leak of some Windows source code in February Microsoft sent legal warnings to hundreds of users who downloaded the code or searched for it on peer-to-peer services.
As proof that the group really has the code it is offering, SCC has posted legitimate-looking lists of the files contained in the Dragon and Napster source. As a further inducement to customers, the group is offering the code in lower-priced segments, so that buyers an purportedly see for themselves that the code is real without paying the full amount up front.
The hacker group said it is using the sale of source code to advertise its services to potential customers. Besides selling stolen source code, SCC says it steals code on request and offers other hacking services. "Formed in early 2004, SCC was created to fill a void in the corporate world. Until now, it was nearly impossible for companies to reliably gather intel on their competitors," the group's website says. "The secrets behind Dragon have built Enterasys into one of the Internet's top security companies."
The code SCC offers was obtained by breaking into corporate networks, the group said. "If you are requesting (source code) from a Fortune 100 company, there is a good chance that we might already have it." SCC says it will consider stealing code on request, though thefts could take up to two months to complete.
SCC said it is not concerned about attention from law enforcement. If the site is shut down, the group said it will open a new one and advertise the new location on the Full Disclosure mailing list. It requires all transactions to be carried out using encrypted email, with payments made using an e-gold account. Software is to be delivered encrypted via a secret Web address; the address, and decryption keys, are to be delivered via encrypted email.
"Our employees have over 10 years experience with encryption and anonymising techniques," the group's site says.