The administrator of Sporting’s computer system recognized this Wednesday the fragility of the Lisbon club’s internal network, target of the attack attributed to Rui Pinto, considering that the tools to respond to this situation were very basic.
Speaking at the 10th session of the Football Leaks trial, at the Lisbon Central Criminal Court, David Luís Tojal revealed that, when he joined the Alvalade club, in 2010, his credentials had three characters and the majority were SCP, a information that generated some laughter in the courtroom.
Related
“We suggested increasing the complexity to eight characters. This was done, but Sporting’s management asked to remove it because it was too much for their heads”, said the witness, adding that the minimum level of complexity was raised to six characters: “When it arrived a new user, we had to create an account and password, and often the password was SCP123. We asked to change it, but many did not change the password”d.
Asked to describe the contours of the attack allegedly carried out by the creator of Football Leaks, Sporting’s computer technician said that it was only later that he identified very strange activity from an access from Hungary, after reporting server slowness, disruption and a problem with the email database that left users without access. David Luís Tojal explained that, then, the priority was to repair the system.
The problem was not resolved internally, nor with the intervention of external entities, which was only possible with the use of backups. This restoration process dragged on for days or weeks, until it was suspended with the announcement on Football Leaks of the contract of coach Jorge Jesus, at the end of September, which led the IT department to try to understand the origin of the extraction of the document.
“From the attack, they gave freedom and we increased the complexity [de acesso ao sistema]also assuming that even when the system blocked, this block disappeared after a short time: The tools we had were not the best, they were very basic”.
According to the witness, who will continue to be heard during the afternoon, the accounts of elements of the management and the legal department were the most affected by the attack.
Before that, there was the end of the hearing by the Judiciary Police specialist Afonso Rodrigues, who revealed that the disruption of Sporting’s system had 27,678 lines of attack and that some previous work was necessary by the person in charge, also underlining that the club’s IT team did not this kind of situation.
The defense of the main defendant in the case sought to dismantle the idea of intention to cause the system to crash, given the fact that Afonso Rodrigues had stated that this situation would have been caused by tools to test vulnerabilities and not specifically to bring down the network.
On the other hand, Rui Pinto’s lawyers, who were particularly active at this stage, gesticulating several times and getting up to give directions to their representatives – led the witness to admit that he was unable to specify, based on the log file to the club on September 29, 2015, which attack caused the disruption.
“I cannot subjectively assess the intention of whoever made the attack”, said Afonso Rodrigues, who also said that he had only analyzed this day of records and that he was not aware of anyone else in the Judiciary having analyzed logs of this nature.
Rui Pinto, 31, is responsible for a total of 90 crimes: 68 of improper access, 14 of violation of correspondence, six of illegitimate access, targeting entities such as Sporting, Doyen, the PLMJ law firm, the Portuguese Federation of Football (FPF) and the Attorney General’s Office (PGR), and also for computer sabotage of Sporting’s SAD and for extortion, in the attempted form. This last crime concerns Doyen and was what also led to the indictment of lawyer Aníbal Pinto.
The creator of Football Leaks has been free since August 7th, due to his collaboration with the Judiciary Police (PJ) and his critical sense, but is, for security reasons, inserted in the witness protection program in a place not revealed and under police protection.
