Security Concern. Help.
So I recently got an email from Ed Jennings, the CEO, alerting me about an incident where-in one the employee emails was used for a phishing scam. They went into detail about what they did to stop it and what I should do and so on. However... The email they provided to ask further security-related questions, security-awareness@quickbase.com, was deemed no longer valid by my outlook client. Now I'm worried if thisemail alert itself is fraudulent. And the fact that I do not see any alerts in my admin console for my realm makes me more suspicious. ------------------------------ James Dalton ------------------------------
HIPAA Compliance and QuickBase...
Building HIPAA Compliant Applications with QuickBase What is HIPAA? HIPAA Compliance Overview How to Ensure HIPAA compliance when using Quick Base What is HIPAA? HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). HIPAA was created primarily to modernize the flow of healthcare information, stipulate how ePHImaintained by healthcare industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage. HIPAA Terminology Covered Entity -A covered entity is a health care provider, a health plan or a health care clearing house who, in its normal activities, creates, maintains or transmits PHI. Business Associate -A "business associate" is a person or business that provides a service to – or performs a certain function or activity for – a covered entity when that service, function or activity involves the business associate having access to PHI maintained by the covered entity. The Customer is the Covered Entity andQuick Base is the Business Associate. HIPAA Compliance Overview The HIPAA Privacy Rule addresses how PHI canbe used and disclosed, while the Security Rule mandatesAdministrative,Physical,andTechnicalSafeguards. HIPAA Security Rule Requirements Administrative Safeguards Physical Safeguards Access Controls Administrative Safeguards Access Controls: Access management - employees only see the "minimum necessary" information to do theirjob Authentication of the identity or individual seeking access. Session controls(inactivity logoff) Data encryption (in motion and at rest) Audit controls: Mechanisms for recording and examining activities pertaining to ePHI within the information systems. Password Management: Procedures for creating, changing, and safeguarding passwords Data Backup Plan: Establish & implement procedures to create and maintain retrievable exact copies of electronic protected health information Disaster Recovery Plan: Establish & implement procedures to restore and loss of data Emergency Mode Operation Plan: Business continuity and disaster recovery plans are developed and approved annually Physical Safeguards Facility Security Plan: Implement policies & procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft Data Backup & Storage: Automatic full backups of customer production data each day Replicates production data to backup data center every 4 hours We enable our customers to build HIPAA compliant applications on our platform. By leveraging this shared responsibility model, together we share the administration responsibilities and setting controls where appropriate. Further Information This year's audit includes a HIPAA Attestation which validates Quick Base is a HIPAA compliant platform which customers may build HIPAA-compliant apps on. This report can be sent to customers under contract or prospects under NDA. Click here for our marketing website for Security & Compliance Info ------------------------------ Sean Padian ------------------------------
Access Record data from an html page via API call
I have had a hard time getting accustomed to working with API calls from outside of Quick Base and since I have limited experience with XML. Finally after struggling quite a bit I have come up with a (seemingly) decent method for getting/accessing record data from an API call in an HTML page. I will post the code below and please provide any feedback for this method, I am still early using Quick base API calls. This method uses the option to return the record data as a 2-dimensional array that can be accessed with "qdb_data " where the "x" is the index selector. You can easily check the number of returned records by looking at "qdb_data.length" <head> <script lang="javascript" src="yourdomain/db/ yourtable?a=API_GenResultsTable&query={'field id'.operator.matchvalue}&jsa=1&apptoken=[yourtoken]"> </script> <script> function displayData(){ alert(qdb_data ); }</script> </head> Curious about the security of having the API info and app token within the client-side code. Obviously a QB code page is fairly secure compared to a remote code page but still curious about it. Thanks everyone.Security Concern
Hi All, One of our client has raised the security concerns while accessing QuickBase Using API's. Following is the sequence of the calls made to access the QuickBase from the external system. First call for the authentication to get ticket: POST //db/main HTTP/1.1 Host: https://target_domain Content-Type: application/xml QUICKBASE-ACTION: API_Authenticate Cache-Control: no-cache Postman-Token: a66300eb-891b-2764-d7ad-f4a6e0b45452 <qdbapi> <username>USER NAME</username> <password>PASSWORD</password> <hours>24</hours> </qdbapi> O/P: Ticket After first call of authentication, when subsequent calls are made to the QuickBase without passing the Ticket , still we get the desired output and this pose the serious security concern, as anyone can do the random calls to the QuickBase and get Data till the ticket is valid. Second call without ticket: GET /db/bm272rhqa?a=API_DoQuery&query={'3'.EX.'42'}&clist=3 HTTP/1.1 Host: https://target_domain Cache-Control: no-cache Postman-Token: e71e843e-1a90-54f8-cfac-80a6bfe8d89b O/P : Desired XML Data As a immediate fix we have asked the client to use "API_SignOut" API to invalidate the ticket, but still if ticket has duration of , say of 4 hours and during that four hours is it possible to make sure that no API calls can be made to QuickBase without passing valid ticket in each API Calls. ThanksI'd like to propose addressing the current allowable password length (20 characters).
Our single sign on environment allows up to 48 characters and the current limit should support NIST guidelines (800-63B): Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. [...] Users should be encouraged to make their passwords as lengthy as they want, within reason.Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes.Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.
Why ""Password Reset Error""?
I have a user who has forgotten her email. She goes through the "forgot password" procedures, the system sends her an email, and when she clicks on the email, it takes her to a "Password Reset Error" page, with the message "The email link you clicked on to reset your password was expired. For reasons of security, this link expires 90 minutes after QuickBase sends them. You may try to reset your password by pressing the button below." She's tried clicking that button, and it sends a new email, and when she clicks that link, it takes her to the same "Password Reset Error" page. She's on Chrome. I've tried having her clear cookies and cache, but so far, no luck. Any ideas?
