Differential Cryptanalysis is a statistical attack that can be applied to any iterated mapping (i.e., any mapping which is based on a repeated round function). The method was recently popularized by Biham and Shamir, but Coppersmith has remarked that the S-boxes of DES were optimized against this attack some 20 years ago. This method has proved effective against several product ciphers, notably FEAL.
Differential cryptanalysis is based on observing a large number of
ciphertexts Y, Y' whose corresponding plaintexts X, X' satisfy a known
difference D = X+X', where + is component-wise XOR. In the basic Biham-Shamir
attack, 
such plaintext pairs are required to determine the key for
DES. Substantially fewer pairs are required if DES is truncated to 6 or 8
rounds. In these cases, the actual key can be recovered in a matter of
minutes using a few thousand pairs. For full DES this attack is impractical
because it requires so many known plaintexts.
The work of Biham and Shamir on DES revealed several startling observations
on the algorithm. Most importantly, if the key schedule was removed from DES
and a 16*48 = 768-bit key was used, the key could be recovered in less than
steps. Thus independent subkeys do not add substantial security to
DES. Further, the S-boxes of DES are extremely sensitive in that changing
even single entries in these tables yields significant improvement in the
differential attack.
Adi Shamir is quoted to say (NYTimes Oct 13 1991), ``I would say that, contrary to what some people believe, there is no evidence of tampering with the DES so that the basic design was weakened.''