USB Stick U3 Security; What is it, whats needed?
Posted on 2006-04-06
I need to supply 8 secure USB sticks to top level managment. I have not decided what level of security; username/password, encryption or a combination of both. The bigger challenge lies with the users/usability.
Not to be demeaning but we are talking about "technical idiots" as users. This is OK with me, top managers have other things to worry about other than IT related issues. Like putting gas in a car and driving away; They don't want to know all the technical details on the engine and drivetrain! At any rate, I need the sticks to therefore be "idiot proof". The users should, in case of emergency, be able to access their documents from any given PC (XP/2000; maybe Win98).
I have looked at simple USB sticks and the possibility of installing add-on "portable software" on the stick. However those that I have looked at require either Admin rights to install the set-up software OR Admin rights to run the portable take with software. One perfect exception is TrueCrypt. It works like a charm for me BUT as stated above it must meet the "idiot proof" criteria. There is no way to train the older generation of management on how to use this software. They simply will not understand virtual drives, devices, or how to mount a said partition or encrypted file. Period. If you move or delete an icon on their desktop, they panic. TrueCrypt is a fine program but in my opinion is not for the non-technical user.
So recently I have taken a closer look at the U3 USB Sticks. So far so good regarding the simplicity and the fact of not needing Admin rights to launch the stick(unless I overlooked something). However, It does not end there. All the manufacturers speak about security on their sticks but no where is it explained how or what level of protection the basic password offers on the stick. Bruce Schneier calls it "Security through obscurity". OK, so the stick can be password protected. So what. How where is the hash stored? Is this level enough for say classified (level 1; out of 3) documents?
The password only obviously does not seem to be enough if one looks at the crypto programs that are offered for U3. Are these really needed? In looking at the U3 Crypto progs; so far, so bad! None of these pass my idiot proof criteria, at least not the ones I have looked at. Complicated to configure; complicated to remember the steps.
1. Does anyone have any ideas for an "idiot proof" solution?
2. Does anyone know the level of security that the U3 password offers?
3. What are your experiences?
For any help, I'll be eternaly indebted...