back to article Chipotle may have banished E coli, but now it has a new infection

The last quarter has been a trying one for Mexican fast-food chain Chipotle. People are returning to its restaurants after the great 2015 E coli outbreak, but now customers are being struck by a different kind of virus. The taco takeaway admitted that it had become the latest victim of what sounds like classic cash register …

  1. Anonymous Coward
    Anonymous Coward

    Here's a tip, just use cash, and leave a tip

    Also, I was bored and I completed my treatment of the big banner advert that has been sending me secret signals all the past week or so... I give you now:

    Infosys 7 Mainframe Migration Challenges, featuring Kate and Simon:

    1) Gosh, Kate smells really good today, what is she wearing?

    2) Kate has awesome hair, she really does smell nice, don't let on!

    3) I think Kate knows I like her, I mean really really like her. Be cool.

    4) I'm starting to sweat with Kate right next to me. How can I apply more deodorant during my break?

    5) Ask her to lunch! No, she won't go. Just ask her already!

    6) Pretend to be more interested in the terminal than Kate, or her blouse, or her hair, oh no, I just saw her shoes... this is going to be a long day.

    7) Why do people still use mainframes, and why does Kate bother working here?

  2. Anonymous Coward
    Terminator

    Chipotle hit by bank-card-stealing malware

    What was the name of the Operating System this cash register malware ran on?

    1. ecarlseen

      Re: Chipotle hit by bank-card-stealing malware

      Not sure. It's an NCR system (I notice because I own a retail business and the new Chipotle near me has a fancy new PoS terminal that looked less fugly than the NCR ones normally do).

      Probably running Windows.

    2. Crazy Operations Guy

      Re: Chipotle hit by bank-card-stealing malware

      Doesn't matter, any system can be infected. I've done a proof of concept malware for client with PoS systems that was just a bash script that would run tcpdump, filter for credit card numbers with grep, use a bit of sed to combine the information into a semi-structure format, then XOR'ed the data with a pre-shared key (Actually a DNS query to my domain then used the result as the key) then would query my DNS server for a host named <Encoded_CC_Data>.<subdomain>.<my_domain>.com.

      The infection method was to just hi-jack the PoS terminals boot process. When the terminal boots up, it sends out a DHCP/BOOTP request, the server would then pass an IP address to client for a TFTP server to receive its configuration. All I had to do was to plug a small system into the network that would emulate a PoS terminal so that I'd get a copy of what the PoS terminals would. Next step was to modify the payload with my script added into it. Once that was prepared, the device would DoS the real DHCP server (Exhaust its addresses) then give out its own address for the TFTP server and give the poisoned package to those systems.

      I was able to also a quick nmap and found that the boot server I was attacking was responsible for the entire region and that each store was connected to it by way of an L2TP VPN. With a slight modification of my attack, I was able to infect about 30 stores and about 120 PoS terminals.

      The whole thing just used utilities that came pre-installed with the OS, so would avoid any and all anti-malware scans. The only signs of my attack were that the PoS terminals had an extra line in their crontab (the entire script could be condensed to a single line), the DHCP server seeing a little less traffic, and some odd DNS queries coming out of each store's network (Although my domain would, at first glance, look just like a legitimate domain). Hell, I didn't even attack the cash registers themselves, nor any other server, just exploited some weaknesses in the network.

  3. Anonymous Coward
    Anonymous Coward

    Typical response to a security breach

    i.e. Its someone else's problem.... Well, I won't eat there again. I keep tabs on corps who pull this sh*t and I won't ever go back there... If I eventually run out of places to frequent I guess I can just retire! :) ... (Well as a consumer...)

  4. DNTP

    So, the classic "would you rather..." question-

    Would you rather get a possibly fatal e. coli infection, or have your credit card stolen?

    LETS DO BOTH

  5. kain preacher

    I would not exactly call that place a Mexican restaurant .

  6. Your alien overlord - fear me

    Has anybody told Trump that Mexicans are stealing 'Murican money? Don't worry, he'll soon have walls built around each taco outlet !!

    1. jake Silver badge

      Most taco joints in the US don't sell Mexican food. They sell Texican pseudo-food.

      1. kain preacher

        Depends on the state. When I was in California it was easy to find real Mexican food. I moved to Alabama and I can't find any thing that remotely looks Mexican. They serve greasy shit and called it Mexican food.

      2. eldowon

        what's your difference between texican/texmex and actual mexican food?

        1. jake Silver badge

          The difference is the same as the difference between Italian American and actual Italian ... The real thing is fresh and local and varied. The derivative is canned, trucked in and homogenized.

  7. Infernoz Bronze badge
    FAIL

    Should be using separate secure payment terminals and isolated payment service software

    If the payment service software is in a secure OS service or container and just passing tokens to the POS software, even if the POS user is compromised, they won't get any card details.

    1. kain preacher

      Re: Should be using separate secure payment terminals and isolated payment service software

      I've seen PoS running on a PII with windows 98 as late as two years ago. It's an eerie feeling when your replacement parts come from Ebay.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like