Hennepin County Sheriff Stanek’s Campaign Website Attempts Malware Attacks on Visitors

The top dog of law enforcement in the eastern Twin Cities metro area has a campaign website which  has attempted to infect each visitor’s computer with malware for days now. Hennepin County Sheriff Rich Stanek also has a lengthy history of supporting increased surveillance and data mining of the public.

How can anyone trust Stanek to collect & secure data scraped en masse from the population when his campaign website has been attempting to infect visitors with malware? If Stanek can’t even maintain a WordPress site securely, how can he be trusted with citizens’ private data?  (Do not visit SheriffStanek.com with any browser that has Javascript and/or Flash enabled)

noscript
The NoScript plugin blocks dangerous scripts from running on Sheriff Stanek’s site, correctly marking them as evil snakes

How does this sheriff with poor infosec and a checkered past fit in the political equation? Stanek is always cagey about which battles he picks – notice how he’s staying quite under-the-radar in the conflict around #Justice4Jamar in Minneapolis. No doubt he’s protecting his political prospects, since he has been dogged by accusations, and substantial findings, of racist behavior during his law enforcement career. More on that in the background section.

VisitorTracker malware in Stanek’s site: Sucuri.net has reported for at least several days his campaign site is infested with VisitorTracker, which hit the WordPress world around September and then accelerated.

Here is a block of malicious code from one of the sheriff’s Javascripts with the malicious redirection URL highlighted:

stanek-hacked-url

The redirection site with the payloads seems to now be gone – this attack could have happened weeks ago. Here is the Sucuri security notice. UnicornRiot has confirmed that at least Stanek’s jQuery and Modernizr are infected:

Sucuri Stanek Malicious activity flagged

VisitorTracker is a derivative of Nuclear Exploit Kit, which can hit a variety of vulnerabilities including Flash and PDF plugins.

An outdated version of ContactForm7 plugin is one vulnerability that VisitorTracker can break into, and Stanek’s site has some version of that installed. Here are cleanup tips.

[One wonders if Feds could charge Stanek under the infamously excessive Computer Fraud and Abuse Act (CFAA) for attempting to ‘exceed authorized access’ by launching this malware at unsuspecting visitors.]


More background: Sheriff Stanek is among the most ambitious of metro area Republican politicians, and unlike most, he has his own intelligence tools that he uses at every opportunity. Whether it’s cell phones or DNA, he is always involved in high-level surveillance system policy arenas. Seeking to hack the local human genome, mapping whole swaths of Minnesotans’ genetic code using “familial DNA” law enforcement databases is one major goal of his.

Stanek is on the board of FirstNet, a federal planned first-responder network based in Reston, VA that could carry surveillance data flows like automated license plate reader (ALPR) lookups. He was on a panel at the 2015 International Association of Chiefs of Police conference about this.

Stanek at IACP
(photo source CC – the whole set of police trade show pix is crazy)

For years he has been a public leader for mass cell phone surveillance. In 2010 Stanek obtained money for a “CDMI interrogator” or cell phone tower spoofer, the Harris Kingfish, with $426K in federal grant money. His use of the system moved forward despite initial skepticism on the county board and in the Legislature. Its oversight remains quite unclear. (The Kingfish is an earlier model similar to the well known Stingray system)

Stanek peddled fearporn to national rightwing media recently, hoping to ride the ISIL/refugee panic to greater prominence and ‘credibility’. A few weeks ago he demanded all courtroom defendants be kept in handcuffs during proceedings, even though this practice biases juries against them.

First elected in 2006 to sheriff, in 2014 he was challenged by Eddie Frizell. He was accused of being an ‘absentee leader’ by Frizell, who got the 75% of the votes from the deputies’ union. Stanek got only 9 percent, at 170 to 14. In August 2015 a deputy sued him for allegedly retaliating against complaints of low morale, after the deputy grilled him at a Hennepin County Sheriff’s Deputies Association debate.

He was in the Minnesota House of Representatives from 1995 to 2003. He was appointed Commissioner of Public Safety in 2003 but was forced to resign in April 2004 when racist conduct at a 1989 traffic stop and a 1992 deposition involving his racial epithets came to light. See “The Rehabilitation of Rich Stanek,” by GR Anderson, Nov 2006:

According to Freeman, Stanek approached the car cursing and screaming, and yelled, “N—r. Motherfucker,” when he arrived at the vehicle. Stanek then, according to the plaintiff, smashed the driver’s side window. He ordered Freeman out of the car, “collared” him, and delivered two blows to his back and neck before handcuffing him, while Freeman was facedown on the ground. Freeman’s complaint went on to allege that Stanek “beat and kicked” him “with his fists, feet, and other police-issued paraphernalia.” The Liberian maintained he never resisted, because he knew Stanek was a cop. Freeman—who, according to a depostion provided in the case by the late MPD officer Jerry Haaf, had not been drinking—sought $50,000; the case was settled out of court for $40,000.

The incident was nearly forgotten until more than a decade later, when Stanek was up for confirmation by the Legislature as the state’s public safety commissioner. In April 2004, the Freeman case became newsworthy again for the deposition that Stanek gave in 1992 regarding the incident. In that deposition, Stanek’s racial attitudes became the topic of the questioning. He admitted that he had told racist jokes and made derogatory statements about blacks while on duty.

Then the questioning centered solely on whether Stanek had ever used the word “n—-r”—which he had, he admitted, “several” times. Stanek went on to convey that he and many of his colleagues in the MPD had freely used the word on the job, and he didn’t recall anyone ever being disciplined for it. “I think it’s inappropriate to use that word in public,” Stanek offered. “When I’m in the confines of my own home or my friends, then I think it’s my business.

“I believe it’s appropriate in the context [that] I’m entitled to my own opinion,” Stanek added later in the deposition. “If I express an opinion or say a word within the confines of my home, that I don’t bring it to work, I don’t bring it to the job, I don’t take it to the public, that’s my own business.”

Gov. Tim Pawlenty, who had appointed Stanek to be commissioner, said the information “was immediately a concern.” Stanek, who did not respond to repeated requests to be interviewed for this story, issued a statement at the time that said he had “never used a racial epithet in a hateful or angry way toward anyone either during work or at home.” Still, there was outrage in the African American community, and a press conference at the Urban League in north Minneapolis where several black leaders called for Stanek to resign. Almost immediately, Stanek did just that.

Stanek is involved in the “Countering Violent Extremism” program which is a federalized police intelligence system in Minneapolis.

Stanek spent $30,000 making a video inflating his role at the I-35W bridge collapse in 2007, and split the job into two $15K payments perhaps to duck the open bidding process. Former Minneapolis police chief Tim Dolan said in an email, “His theft of the credit is not going to sit well with my staff and our hard working partners.”

Hat tip to the ever vigilant @smilyus for calling attention to the website security failure – previously Smily was affiliated with the Kitten for Sheriff campaign against Stanek.