Group Offers to Sell Supposed Dragon IDS Code

Updated: The Source Code Club, which a member said comprises professional hackers in it for the money, says the code for Enterasys' intrusion detection system is available for $16,000. It also claims to have Nap

A group calling itself the Source Code Club is offering to sell files that it claims contain the source code for Enterasys Networks Inc.s Dragon IDS (intrusion detection system) software. The asking price: $16,000.

The groups rudimentary Web site, which is registered under a Ukrainian domain name, lists hundreds of files that appear as though they could indeed be source-code files. There is no way to tell whether the group actually has the code, although it claims to have obtained it by breaking into the Enterasys network.

"Enterasys is investigating the alleged theft of what may be a portion of source code of an older version of our Dragon IDS software. We dont expect complications from this situation, as we have made significant modifications to the product since the 6.1 version. To further protect their networks, customers running the older Dragon 6.1 version can go to to download the version 6.3 upgrade," said Kevin Flanagan, senior manager of corporate communications at Enterasys.

"Our continuing investigation indicates that any possible misappropriation of the code would have been linked to a physical theft of media and not a breach of our network. We base this conclusion on our review of the file structure on the Web site purporting to possess the code and our ongoing forensic analysis of our systems to ensure they have not been compromised. There is no indication that such a breach occurred. We are working with law enforcement authorities to investigate this situation and, therefore, we can provide no further details at this time."

The group also claims to have the source code for the Napster client and server software, which it is offering for sale at $10,000.

Someone using the name Larry Hobbles posted a message to the Full Disclosure security mailing list Monday night saying that both the Dragon and Napster code were available for sale.

"The Source Code Club is now open for business. SCC is a business focused on delivering corporate intel to our customers. Our main focus is selling source code and design documents, but there are many other facets to our business," the message reads. "To get the ball rolling, we are now offering the souce [sic] code/design docs for both Enterasys Intrusion Detection System (NIDS/HIDS) and Napster server and clients."

The files listed on SCCs site appear to be from version 6.1 of Dragon; the current release is 6.3.

/zimages/2/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

In an e-mail interview, the SCC member who posted the message to Full Disclosure said the group is made up of professional hackers who are simply in it for the money.

"The Enterasys and Napster code were both acquired via a remote penetration of said corporate networks. SCC is not worried about the legal consequences of such actions for a number of reasons: 1) The countries where we originate from do not have hacking laws. 2) Our team has over 10 years in the information security industry. We know what we are doing," he said.

"Our motivation for selling the property is money and to put our skills to use. We do not only offer source code; there are many hacking services that we provide. We do not wish to continue offering source code publicly, but it is something that must be done initially to ensure the public that we are real."

Both the message and the groups Web site provide an e-mail address registered to a South African domain. The groups site says customers have the option of buying the code all at once or in smaller chunks, which supposedly allows the buyer to verify the authenticity of the code before committing to buying the entire archive.

Dragon is Enterasys flagship security product and is one of the more popular and well-regarded IDS systems on the market. It is both a network and host IDS.

Editors Note: This story was updated to include comments from an Enterasys representative.

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.


Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/2/19420.gif