USB Stick U3 Security; What is it, whats needed?

Posted on 2006-04-06
Last Modified: 2012-05-05
Greetings Experts!

I need to supply 8 secure USB sticks to top level managment. I have not decided what level of security; username/password, encryption or a combination of both. The bigger challenge lies with the users/usability.

Not to be demeaning but we are talking about "technical idiots" as users. This is OK with me, top managers have other things to worry about other than IT related issues. Like putting gas in a car and driving away; They don't want to know all the technical details on the engine and drivetrain! At any rate, I need the sticks to therefore be "idiot proof". The users should, in case of emergency, be able to access their documents from any given PC (XP/2000; maybe Win98).  

I have looked at simple USB sticks and the possibility of installing add-on "portable software" on the stick. However those that I have looked at require either Admin rights to install the set-up software OR Admin rights to run the portable take with software. One perfect exception is TrueCrypt. It works like a charm for me BUT as stated above it must meet the "idiot proof" criteria.  There is no way to train the older generation of management on how to  use this software. They simply will not understand virtual drives, devices, or how to mount a said partition or encrypted file. Period.   If you move or delete an icon on their desktop, they panic. TrueCrypt is a fine program but in my opinion is not for the non-technical user.

So recently I have taken a closer look at the U3 USB Sticks.  So far so good regarding the simplicity and the fact of not needing Admin rights to launch the stick(unless I overlooked something). However, It does not end there. All the manufacturers speak about security on their sticks but no where is it explained how or what level of protection the basic password offers on the stick. Bruce Schneier calls it "Security through obscurity". OK, so the stick can be password protected. So what. How where is the hash stored? Is this level enough for say classified (level 1; out of 3) documents?

The password only obviously does not seem to be enough if one looks at the crypto programs that are offered for U3. Are these really needed? In looking at the U3 Crypto progs; so far, so bad! None of these pass my idiot proof criteria, at least not the ones I have looked at. Complicated to configure; complicated to remember the steps.

1. Does anyone have any ideas for an "idiot proof" solution?
2. Does anyone know the level of security that the U3 password offers?
3. What are your experiences?

For any help, I'll be eternaly indebted...
Dr Dude
Question by:DrDude1
    LVL 22

    Expert Comment

    Easy USB drive with fingerprint recognition. Here is one just to show you what I am talking about.

    To anyone else but you with this smart 2.0 USB memory drive with 256MB that uses fingerprint recognition technology to keep your files secure and private.

    LVL 3

    Accepted Solution

    Check this one:

    The data is encrypted with 128 bit AES and accessible only with a password.
    As far as I can tell you don't need administrative privileges to login or out the privacy-zone. (At least I don't need them using Windows XP)
    LVL 4

    Assisted Solution

    You can install optional security software on the U3.  Here is a list of them all:

    Several look interesting:

    Cryptomnemo uses pictures instead of a password:

    e-Capsule Private Safe looks very secure

    Author Comment

    @@RiDo78--From the link you sent Kingston states, "For ease of use and personalization, My Traveler software helps you organize the DataTraveler's contents, set language preferences and synchronize files with the host device."  Q. is this software needed? Or is the stick plug and play without it, like U3. This where I have always run into problems. Additional software needed; and almost always admin rights to install!

    @@samb39--Yes, I have looked at the list and as a matter of fact DL'ed mnemonic. During the installation, it does not fit the "idiot proof" concept of mine. It needs an internet access to get a trial license. And by the look of it ,internet access to add a purchased key. The damn trial sign up would not even recognize our proxy setting and therefor i was unable to finish installing the tril software. I worked around this by taking my laptop home, putting it on MY private net, disabling the company prox setting and finished the install.  This is a BS workaround that definately does not work for a corporate setting. After starting Mnemonic it asked for three passwords. Are they insane?? Do they really expect the users i described above to comprehend and remember all these PWs???

    I forgot to mention i was looking at this:
    Most imortantly they state: "The Stealth MXP makes use of a patent pending user-mode communication protocol providing true zero footprint mode – no software installation and no administrator rights required on the host PC."

    Then i know at what level ALL data on the stick is securd by, right from the get-go. It is not available yet but hopefully I will get one soon to test.  
    LVL 3

    Expert Comment

    @DrDude1: Yes, the software is required but can be divided in two parts. The first part is the management software that prefers (not requires) te be installed on the machine. With this software you can manage the stick (eg. define how large the encrypted part should be). It is NOT required for daily use.

    The second part can be found twice on the stick itself (once in the secure part and once in the on-secure part) and does not require installation. This software is required to switch to the secure-part of the stick and back. If you switch to the secure part, a password is required. After (I thougt) 30 false attempts, the stick erases the data stored on it.

    Although you can change the size of the secure part, I suggest to use the entire stick (minus 1 Mb for its own software) so the non-technical managers do not open an document on the non-secure part and then wonder why they can't switch to the secure part with the document open. (The non-secure part and the secure part share the same driveletter. The software basically remounts the USB-drive).
    LVL 3

    Expert Comment


    Author Comment

    Just by chance i have been in contact with safeboot here in Germany. While visiting the CeBit they were one of the first stands i visited. Come to find out, the safeboot USB is also part of a software installation suite. Their Rep is the one who pointed me to the Stealth-MXP. They should be offering it now(or soon I was on vacation and did not make follow-up contact yet).

    My major problem is that I need to configure the sticks one time and hand them out at a meeting to 8 individuals who are working around the globe. No room for error, no wish for anything complicated(reminds me of going from a carburator that could be adjusted with a screwdriver, to all the electronic injection systems that need expensive computers and experts to tune them. They call this progress. Perhaps we should all just carry a piece of paper and a pencil).

    Anyway, we are leaning more towards anyone of the U3 conform sticks; no particular brand. The cool thing is that we can install Open office; that way if the host computer does not have MS office at least the execs can access the Docs/XLs files.

    I password protected my U3 stick and re-inserted it with out putting in the password. If i click on the removable dirve part, it says access denied. Seems OK to me, but my real concern is what level/type of protection is being used here?  I had read that the U3 acts as a normal USB removable drive when inserted on a non MS machine. I booted the latest Knoppix 5.0 and it did not mount or find the stick. Perhaps the U3 simple protection is enough for the casual user? Like a simple person who would find the stick on the seat in an airport. How much troulbe/effort would they go through to hack the stick? After disscussin with my boss, it seems that the password with U3 might be enough for the information on the stick. We are not talking military secrets here. What I dont want to happen is that later the users come and say the level of protection is not enough; that is why I was thinking about the Stealth-MXP.

    @RiDo78 and samb39; i have not really gotten the answer i was looking for but I think all of our Q. and A. could benefit others. Therefore I will slipt the points 400/100 accordingly. Hope you agree.
    LVL 3

    Expert Comment

    Hi again,

    I'm sorry that we could not be of any more help. Honestly said, how you divide the points is your business and I don't mind how you do it. For me the points do not have a real value, their just a number.

    One last thing though, I don't know how good your linux-skills are, but most (if not all) USB sticks (U3 or not) can be treated like an ordinary removable storage device. So if you say that Knoppix did not find the stick at all, I would say that there's something wrong with the distro or your knowledge of the distro or Linux is not sufficient.  I own several sticks:
    - unknown-brand, 64 Mb on my keychain. It contains my private key for world-wide access to my PC at home, the public host-certificate and Putty.
    - Kingston Datatraveler II plus migo, 2 Gb for carrying applications (like firefox), desktopsettings and a couple of documents.
    - Kingston Datatraveler Elite 512 Mb used for senitive data
    Apart from those I've used many other USB-sticks as well. On ALL of them the unsecured part could be mounted under Linux (SuSe 9.2). The secured part remained hidden.

    Author Comment


    I admit, my Linux knowledge is very basic. One cannot be an expert at everything :-) although some claim to be. A Jack of all trades, and Master at none. LOL Anyway, that is why i use the Knoppix. It is basically "Idiot Proof". As you stated, it will find/mount ordinary USB sticks as removable storage. It does do this with my Corsair stick but not the U3 configured stick. I tried them side-by-side. KPx finds the "open" one, but the other U3 is not seen.

    I just ordered 10 Kingston U3 Smart Data Travelers.  The "basic" password protection will do for now. However, I will pursue the quest of trying to find out just how this pw protection works and on what basis it operates. Should our execs desire added encryption, as samb39 suggested, I can always add Cryptomnemo later. According to the Project leader, the execs will not be carrying top secret documents. At the same time, I donnot what them to have a false sense of security! Most would not understand the difference. All they think is that if they have to put in a password, it must be secure(kinda like Win9x...LOL).

    take care and thanks for your help!

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    We all have limited time to study long and complicated information about RAID theories, but you may be interested as to how RAID 5 works. We made it simple for you by providing the shortest and easiest explanation ever.   First we need to remind …
    Lets start to have a small explanation what is VAAI(vStorage API for Array Integration ) and what are the benefits using it. VAAI is an API framework in VMware that enable some Storage tasks. It first presented in ESXi 4.1, but only after 5.x sup…
    This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
    This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now