The administrator of Sporting’s computer system acknowledged this Wednesday the fragility of the Lisbon club’s internal network, the target of the attack attributed to Rui Pinto, considering that the tools to respond to this situation were very basic.
Speaking at the 10th session of the Football Leaks trial at the Lisbon Central Criminal Court, David Luís Tojal revealed that when he joined the Alvalade club in 2010, his credentials were three characters long and most were SCP, one information that generated some laughter in the audience room.
“We suggested increasing the complexity to eight characters. This was done, but the Sporting administration itself asked to remove it because it was too much for their heads,” said the witness, adding that he passed the minimum complexity level for six characters: “When it arrived a new user, we had to create an account and password, and often the password was SCP123. We asked to change it, but many did not change the password “d.
Asked to describe the contours of the attack allegedly carried out by the creator of Football Leaks, Sporting’s computer technician said that it was only later that he identified a very strange activity from an access originating from Hungary, already after reporting slowness on the server, the disruption and a problem in the email database that left users without access. David Luís Tojal explained that, then, the priority was to repair the system.
The problem was not solved internally, nor with the intervention of external entities, which was only possible with the use of backups. This reinstatement process dragged on for days or weeks, until it was suspended with the disclosure in Coach Leaks of the coach Jorge Jesus’ contract at the end of September, which led the IT department to try to understand the origin of the document extraction.
“From the attack they gave freedom and we increased the complexity [de acesso ao sistema], also assuming that even when the system locked, this lock disappeared after a short time: The tools we had were not the best, they were very basic “.
According to the witness, who will continue to be heard in the afternoon, the accounts of members of the board and the legal department were most affected by the attack.
Before that, there was a hearing at the end of the hearing of Judicial Police specialist Afonso Rodrigues, who revealed that the disruption of the Sporting system had 27,678 lines of attack and that some previous work by the person in charge was necessary, stressing that the club’s computer team did not take care this kind of situation.
The defense of the main defendant in the lawsuit sought to dismantle the idea of intending to cause the system to crash, given the fact that Afonso Rodrigues stated that this situation was caused by tools to test vulnerabilities and not specifically to bring down the network.
On the other hand, Rui Pinto’s lawyers, who proved to be particularly active at this stage, gesturing several times and standing up to give directions to their representatives – led the witness to admit he was unable to specify, based on the log file to the system club on September 29, 2015, that attack caused the disruption.
“I am unable to assess subjectively what the intention of the attacker was,” said Afonso Rodrigues, who also said that he had only analyzed this day of records and that he was not aware of anyone else in the Judiciary having analyzed logs of this nature.
Rui Pinto, 31, is responsible for a total of 90 crimes: 68 of undue access, 14 of violation of correspondence, six of illegitimate access, targeting entities such as Sporting, Doyen, PLMJ law firm, the Portuguese Federation of Football (FPF) and the Attorney General’s Office (PGR), and also for computer sabotage to Sporting’s SAD and for extortion, in the attempted form. This last crime concerns Doyen and was also what led to the pronunciation of the lawyer Aníbal Pinto.
The creator of Football Leaks has been free since August 7, due to his collaboration with the Judicial Police (PJ) and his critical sense, but for security reasons, he is part of the witness protection program in a place not revealed and under police protection.
.
